2 NATL INST OF STAND TECH R I C REFERENCI PUBLICATIONS A 11 10 3 S2D52Q nist An special Publication 800-12 Security U S Computer The NIST Handbook Introduction to DEPARTMENT OF COMMERCE Technology Administration Barbara Guttman and Edward A Roback National Institute of Standards and Technology COMPUTER Assurance User r Issues V SECURITY Planning Personnel Access Controls C Support ---' Physical Security QC 100 U57 NO 800-1 1995 icy Operations nist Management of Standards and Technology was The National development of technology needed improve product established in 1988 Institute in the to ensure product reliability and to quality to to facilitate rapid commercialization by Congress to assist industry modernize manufacturing processes of products based on new scientific discoveries NIST originally founded as the National Bureau of Standards in 1901 works to strengthen U S industry's competitiveness advance science and engineering and improve public health safety and the environment One of the and retain custody of the national standards of measurement and provide the means and methods for comparing standards used in science engineering manufacturing commerce agency's basic functions industry is to develop maintain and education with the standards adopted or recognized by the Federal Government As an agency of the U S Commerce Department's Technology Administration NIST conducts research in the physical sciences and engineering and develops measurement techniques The related services Institute their principal activities are listed below Office of the Director o o o Advanced Technology Program Quality Programs International and Academic Affairs Technology Services o basic and applied methods standards and does generic and precompetitive work on new and advanced technologies NIST's research facilities are located at Gaithersburg and test MD 20899 and at Boulder CO 80303 Major technical operating units For more information contact the Public Inquiries Desk 301-975-3058 Manufacturing Engineering Laboratory o Precision Engineering o Automated Production Technology o Intelligent o Manufacturing Systems Integration o Fabrication Technology Systems Manufacturing Extension Partnership and o Standards Services Electronics o Technology Commercialization Laboratory o Measurement Services o Microelectronics o Technology Evaluation and Assessment o Law Enforcement o Information Services o Electricity Electrical Engineering Standards o Semiconductor Electronics Materials Science and Engineering o Electromagnetic Fields' Laboratory o Electromagnetic Technology' o Optoelectronics' o Intelligent Processing of Materials o Ceramics o Materials Reliability o Polymers o o Metallurgy o Building Materials o Reactor Radiation o Building Environment o Fire Safety o Fire Science Building and Fire Research Laboratory 1 Chemical Science and Technology Laboratory Structures o Biotechnology Computer Systems Laboratory o Chemical Kinetics and Thermodynamics o Office of Enterprise Integration o Analytical Chemical Research o Information Systems Engineering o Process Measurements o Systems and Software Technology o Surface and Microanalysis Science o o Thermophysics Computer Security Systems and Network Architecture Advanced Systems 2 o o Physics Laboratory Computing and Applied Mathematics o Electron and Optical Physics o Atomic Physics Laboratory o Molecular Physics o Applied and Computational Mathematics 2 2 o Radiometric Physics o Statistical Engineering o Quantum Metrology o Scientific 2 Computing Environments o Ionizing Radiation o o Time and Frequency' Quantum Physics' o Computer Services 2 Computer Systems and Communications o Information Systems o ' 2 At Boulder Some CO elements 80303 at Boulder CO 80303 nist special Publication 8oo-i2 An Computer The NIST Handbook Introduction to Security Barbara Guttman and Edward Roback COMPUTER SECURITY Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg MD 20899-0001 October 1995 ATES O U S Department of Commerce Ronald H Brown Secretary Technology Administration Mary L Good Under Secretary for Technology National Institute of Standards and Technology Arati Prabhakar Director Reports on Computer Systems Technology The National Institute of Standards and Technology NIST has a unique responsibility for computer systems technology within the Federal government NIST's Computer Systems Laboratory CSL develops standards and guidelines provides technical assistance and conducts research for computers and related telecommunications systems to achieve more effective utilization of Federal information technology resources CSL's responsibilities include development of technical management physical and administrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified information processed in Federal computers CSL assists agencies in developing security plans and in improving computer security awareness training This Special Publication 800 series reports CSL research and guidelines to Federal agencies as well as to organizations in industry government and academia National Institute of Standards and Technology Special Publication 800-12 Natl Inst Stand Technol Spec Publ 800-12 272 pages Oct 1995 CODEN NSPUE2 U S GOVERNMENT PRINTING OFFICE WASHINGTON 1995 For sale by the Superintendent of Documents U S Government Printing Office Washington DC 20402 Table of Contents I INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1 1 1 2 1 3 1 4 1 5 Purpose Intended Audience Organization Important Terminology Legal Foundation for Federal Computer Security 4 Programs 7 3 3 5 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2 1 Computer Security Supports the Mission of the Organization 2 2 2 3 2 4 2 5 Computer Security is an Integral Element of Sound Management Computer Security Should Be Cost-Effective Computer Security Responsibilities and Accountability Should Be Made Explicit Systems Owners Have Security Responsibilities Outside Their 2 6 2 7 9 Own Organizations Computer Security Requires a Comprehensive and Integrated Approach Computer Security Should Be Periodically Reassessed 10 11 12 12 13 13 2 8 Computer Security is Constrained by Societal Factors 14 in Chapter 3 ROLES AND RESPONSIBILITIES 3 1 3 2 3 3 Management Computer Security Management Program and Functional Managers Application Owners Senior 16 16 16 3 4 3 5 3 6 Technology Providers Supporting Functions Users 16 18 19 Chapter 4 COMMON THREATS A BRIEF OVERVIEW 4 1 Errors and Omissions 22 4 2 23 4 5 Fraud and Theft Employee Sabotage Loss of Physical and Infrastructure Support Malicious Hackers 4 6 Industrial Espionage 26 4 7 Malicious Code 27 4 8 Foreign Government Espionage 27 4 9 Threats to Personal Privacy 28 4 3 4 4 24 24 24 MANAGEMENT CONTROLS II Chapter 5 COMPUTER SECURITY POLICY 5 1 Program 5 2 Issue-Specific Policy 37 5 3 System-Specific Policy 40 Policy 35 IV 5 4 Interdependencies 42 5 5 Cost Considerations 43 Chapter 6 COMPUTER SECURITY PROGRAM MANAGEMENT 6 1 Structure of a Computer Security Program 45 6 2 Central Computer Security Programs 47 6 3 Elements of an Effective Central Computer Security Program 51 6 4 System-Level Computer Security Programs 53 6 5 53 6 6 Elements of Effective System-Level Programs Central and System-Level Program Interactions 6 7 Interdependencies 56 6 8 Cost Considerations 56 56 Chapter 7 COMPUTER SECURITY RISK MANAGEMENT 7 1 Risk Assessment 59 7 2 Risk Mitigation 63 7 3 Uncertainty Analysis 67 7 4 Interdependencies 68 7 5 Cost Considerations 68 Chapter 8 SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE 8 1 Computer Security Act 8 2 Benefits of Integrating Security in the 8 3 System Life Cycle Overview of the Computer System Life Cycle Issues for Federal Systems 71 Computer 72 73 Security Activities in the 8 4 Computer System Life Cycle 74 8 5 Interdependencies 86 8 6 Cost Considerations 86 Chapter 9 ASSURANCE 9 1 Accreditation and Assurance 90 9 2 Planning and Assurance 92 9 3 Design and Implementation Assurance 92 9 4 Operational Assurance 96 9 5 Interdependencies 101 9 6 Cost Considerations 101 III OPERATIONAL CONTROLS Chapter 10 PERSONNEL USER ISSUES 10 1 Staffing 107 10 2 110 116 10 4 User Administration Contractor Access Considerations Public Access Considerations 10 5 Interdependencies 117 10 6 Cost Considerations 117 10 3 116 Chapter 11 PREPARING FOR CONTINGENCIES AND DISASTERS 11 1 Step 1 Identifying the Mission- or Business-Critical Functions 120 VI 11 2 Step 2 Identifying the Resources That Support Critical Functions 11 3 Step 3 120 Anticipating Potential Contingencies or Disasters 122 11 4 Step 4 Selecting 123 11 5 Step 5 Contingency Planning Strategies Implementing the Contingency Strategies 126 11 6 Step 6 Testing and Revising 128 11 7 Interdependencies 129 11 8 Cost Considerations 130 Chapter 12 COMPUTER SECURITY INCIDENT HANDLING 12 1 Benefits of an Incident Handling Capability 12 2 Characteristics of a Successful 134 Incident Handling Capability 137 12 3 Technical Support for Incident Handling 139 12 4 Interdependencies 140 12 5 Cost Considerations 141 Chapter 13 AWARENESS TRAINING AND EDUCATION 13 1 Behavior 143 13 2 Accountability 144 13 3 Awareness 144 13 4 Training 146 13 5 147 13 6 Education Implementation 13 7 Interdependencies 152 13 8 Cost Considerations 152 148 Vll Chapter 14 SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS 14 2 User Support Software Support 14 3 Configuration 14 4 Backups 158 14 5 Media Controls 158 14 6 161 14 7 Documentation Maintenance 14 8 Interdependencies 162 14 9 Cost Considerations 163 14 1 156 157 Management 157 161 Chapter 15 PHYSICAL AND ENVIRONMENTAL SECURITY 15 1 Physical Access Controls 167 15 2 Fire Safety Factors 168 15 3 Failure of Supporting Utilities 170 15 4 Structural Collapse 170 15 5 171 15 8 Plumbing Leaks Interception of Data Mobile and Portable Systems Approach to Implementation 15 9 Interdependencies 174 15 10 Cost Considerations 174 15 6 15 7 Vlll 171 172 172 IV TECHNICAL CONTROLS Chapter 16 IDENTIFICATION AND AUTHENTICATION 180 16 4 I A Based on Something the User Knows I A Based on Something the User Possesses I A Based on Something the User Is Implementing I A Systems 16 5 Interdependencies 189 16 6 Cost Considerations 189 16 1 16 2 16 3 182 186 187 Chapter 17 LOGICAL ACCESS CONTROL 17 1 Access Criteria 17 2 Policy 17 3 Technical Implementation Mechanisms 198 17 4 Administration of Access Controls 204 17 5 Coordinating Access Controls 206 17 6 Interdependencies 206 17 7 Cost Considerations 207 194 The Impetus for Access Controls 197 Chapter 18 AUDIT TRAILS 18 1 18 2 18 3 18 4 18 5 and Objectives Audit Trails and Logs 211 Implementation Issues Interdependencies Cost Considerations 217 Benefits 214 220 221 IX Chapter 19 CRYPTOGRAPHY 19 1 Basic Cryptographic Technologies 223 19 2 226 19 4 Uses of Cryptography Implementation Issues Interdependences 19 5 Cost Considerations 234 19 3 V 230 233 EXAMPLE Chapter 20 ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM 20 1 20 2 20 3 20 4 20 5 Assessment HGA's Computer System Threats to HGA's Assets 241 Current Security Measures Vulnerabilities Reported by the Risk Assessment 248 Initiating the Risk 242 245 Team 257 20 6 20 7 Recommendations for Mitigating the Identified Vulnerabilities 262 Summary 266 Cross Reference and General Index 269 Acknowledgments many people who assisted with the development of this handbook For their initial recommendation that NIST produce a handbook we thank the members of the Computer System Security and Privacy Advisory Board in particular Robert Courtney Jr NIST management officials who NIST would supported like to thank the this effort include James Burrows F Lynn McNulty Stuart Katzke Irene Gilbert and Dennis Steinauer In addition special thanks classes due those contractors who helped is craft the handbook prepare drafts teach and review material Daniel F Sterne of Trusted Information Systems TIS Glenwood Maryland served as Project Manager for Trusted Information Systems on this project In addition many TIS employees contributed to the handbook including David M Balenson Martha A Branstad Lisa M Jaworski Theodore M P Lee Charles P Pfleeger Sharon P Osuna Diann K Vechery Kenneth M Walker and Thomas J Winkler-Parenty Additional drafters of handbook chapters include Lawrence Bassham York JJI NIST Robert V Jacobson International Security Technology Inc NY and John Wack Significant assistance New NIST was also received from Lisa Carnahan NIST James Dray NIST Gilbert NIST Elizabeth Greer NIST Donna Dodson NIST the Department of Energy Irene Lawrence Keys NIST Elizabeth Lennon NIST Joan O'Callaghan Bethesda Maryland Dennis Steinauer NIST Kibbie Streetman Oak Ridge National Laboratory and the Tennessee Valley Authority Moreover thanks is extended to the reviewers of draft chapters While two individuals were especially Robert Courtney Jr many people assisted the following tireless RCI and Steve Lipner MITRE and TIS Other important contributions and comments were received from Members of the Computer System Security and Privacy Advisory Board and the Steering Committee of the Federal Computer Security Program Managers' Forum Finally although space does not allow specific this effort their assistance Disclaimer Note was critical to the acknowledgement of that references to specific products or brands endorsement explicit or implicit is all the individuals who contributed to preparation of this document intended or implied XI is for explanatory purposes only no I INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION Purpose 1 1 This handbook provides assistance in securing computer-based resources including hardware software and information by explaining important concepts cost considerations and interrelationships of security controls It illustrates the benefits of security controls the major techniques or approaches for each control and important related considerations 1 The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls It does not describe detailed steps necessary to implement a computer security program provide detailed implementation procedures for security controls or give guidance for auditing the security of specific systems General references are provided at the end of this chapter and references of how-to books and articles are provided at the end of each chapter in Parts II III and IV The purpose of this handbook is not to specify requirements but rather to discuss the benefits of various computer security controls and situations in which their application Some 2 requirements for federal systems are noted in the text may be appropriate This document provides advice and guidance no penalties are stipulated Intended Audience 1 2 The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques Within the federal government 3 this includes those who have computer security responsibilities for sensitive systems It is recognized that the computer security field continues to evolve To address changes and new issues NIST's Computer Systems Laboratory publishes the CSL Bulletin series Those bulletins which deal with security issues can be 1 thought of as supplements to this publication 2 Note that these requirements do not arise from this handbook but from other sources such as the Computer Security Act of 1987 3 In the Computer Security Act of 1987 Congress assigned and guidelines responsibility to for the security of sensitive federal systems excluding classified unclassified intelligence-related as specified in 10 USC 2315 and 44 USC NIST for the preparation of standards and Warner Amendment systems 3502 2 Introduction For the most the part the handbook sector 4 and Overview concepts presented in are also applicable to the private Definition of Sensitive Information While there are differences between Many people think that sensitive federal and private-sector computing information only requires protection from unauthorized disclosure especially in terms of priorities and legal However the Computer Security Act provides a constraints the underlying principles of much broader definition of the term computer security and the information available safeguards - managerial operational and technical - are the same The handbook is therefore useful to anyone who needs to learn the basics of computer security or wants a broad overview of the subject However it is probably too detailed to be guide and is employed as a user awareness not intended to be used as an audit guide any information the loss sensitive misuse or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs or the privacy to which individuals are entitled under section 552a of title United States Code the Privacy Act but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of 5 national defense or foreign policy 1 3 Organization The above definition can be contrasted with the long- standing confidentiality-based information The first section of the handbook contains background and overview material briefly discusses of threats and explains the roles and i e organizations involved in computer security system explains the executive principles of computer security that are principle that is one important repeatedly stressed is that only security measures that are cost-effective should be implemented based only upon the need to protect from unauthorized disclosure Government does not have a similar system unclassified information No governmentwide schemes used throughout the handbook For example is the U S for It system for national security information CONFIDENTIAL SECRET and TOP SECRET This classified information of individuals and responsibilities classification A familiarity with the for either classified or unclassified information exist which are based on the need to protect the integrity or availability of information m--BiBB wm principles is fundamental to understanding the handbook's philosophical approach to the issue of security The next three major sections deal with security controls Controls III Management Controls 5 II Operational and Technical Controls IV Most controls cross the boundaries between management operational and technical Each chapter in the three sections explanation of the control approaches to implementing the control selecting implementing some provides a basic cost considerations in and using the control and selected interdependencies that may 4 As 5 The term management controls exist necessary issues that are specific to the federal environment are noted as such operational or technical controls is used in a broad sense and encompasses areas that do not fit neatly into with 1 Each chapter other controls in this Introduction portion of the handbook also provides references that may be useful in actual implementation o The Management Controls section addresses security topics that can be characterized as managerial They are techniques and concerns that are normally addressed by management in the organization's computer security program In general they focus on the management of the computer security program and the management of risk within the organization o The Operational Controls section addresses security controls that focus on controls that are broadly speaking implemented and executed by people as opposed to systems These controls are put in place to improve the security of a particular system or group of systems They often require technical or specialized expertise - and often rely upon management activities as well as technical controls o The Technical Controls section focuses executes These controls are dependent on security controls that the computer system upon the proper functioning of the system for their The implementation of technical controls however always requires significant operational considerations - and should be consistent with the management of security within effectiveness the organization Finally in the an example handbook It is presented to aid the reader in correlating some of the major topics discussed describes a hypothetical system and discusses been implemented to protect must be made 1 4 To in it some of the controls that have This section helps the reader better understand the decisions that securing a system and illustrates the interrelationships among controls Important Terminology understand the rest of the handbook the reader must be familiar with the following key terms and definitions as used in this handbook In the handbook the terms computers and computer systems are used to refer to the entire spectrum of information technology including application and support systems Other key terms include Computer Security The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity availability and confidentiality of information system resources includes hardware software firmware information data and telecommunications Integrity In lay usage information has integrity when it is timely accurate complete and However computers are unable to provide or protect all of these qualities Therefore in the computer security field integrity is often discussed more narrowly as having two consistent Introduction and Overview Location of Selected Security Topics Because this handbook topics that the reader is structured to focus may have on computer security controls there may be several security For example no separate section is devoted to mainframe or trouble locating personal computer security since the controls discussed in the handbook can be applied albeit in different ways to various processing platforms and systems The following may help the reader locate areas of interest not readily found in the table of contents Topic Chapter Accreditation 8 Life Cycle 9 Assurance Logical Access Controls Firewalls 1 Security Plans 8 Life Cycle Trusted Systems 9 Assurance 7 Security features including those incorporated into trusted systems are discussed throughout Viruses Other Malicious 9 Assurance Operational Assurance section 12 Incident Handling Code Network Security Network In security uses the same basic many of the handbook chapters set of controls as mainframe security or considerations for using the control is PC security a networked environment are addressed as appropriate For example secure gateways are discussed as a part of Access Control transmitting authentication data over insecure networks in the Identification and Authentication chapter is discussed and the Contingency Planning chapter talks about data communications contracts For the same reason there mainframe facets is not a separate chapter for PC data integrity and system integrity Data integrity programs are changed only in a specified requirement that a system performs LAN minicomputer or security its is a requirement that information and and authorized manner 6 System integrity is a intended function in an unimpaired manner free from deliberate or inadvertent unauthorized manipulation of the system 6 National Research Council Computers at Risk Washington 7 National Computer Security Center Pub NCSC-TG-004-88 6 7 The DC National Academy definition of integrity Press 1991 p 54 1 has been and continues to be the subject of much debate Availability A requirement denied to authorized users Confidentiality among computer intended to assure that systems Introduction security experts work promptly and service is not 8 A requirement that private or confidential information not be disclosed to unauthorized individuals 1 5 Legal Foundation for Federal Computer Security Programs The executive need for computer security In number of laws and regulations mandate that agencies principles discussed in the next chapter explain the addition within the federal government a protect their computers the information they process and related technology resources e g telecommunications o 9 The most important are listed below The Computer Security Act of 1987 requires agencies computer security o training to identify sensitive systems conduct and develop computer security plans The Federal Information Resources Management Regulation FIRMR is the primary regulation for the use management and acquisition of computer resources in the federal government OMB Circular A- 130 specifically Appendix III requires that federal agencies establish o security Note that programs containing specified elements many more specific requirements many of which are agency specific also exist Federal managers are responsible for familiarity and compliance with applicable legal requirements However laws and regulations do not normally provide detailed instructions for protecting computer-related assets Instead they specify requirements availability - such as restricting the of personal data to authorized users This handbook aids the reader effective overall security approach and in selecting cost-effective controls to in developing an meet such requirements 8 Computers at 9 Although not Risk p 54 listed readers should be aware that laws also exist that may affect nongovernment organizations Introduction and Overview References Auerbach Publishers Boston MA British Standards Institute Caelli William NY Stockton Fites P Warren Gorham a division of A Code of Practice for Information Security Management 1993 Dennis Longley and Michael Shain Information Security Handbook New York Press 1991 and M Kratz Information Systems Security NY Van Nostrand A Practitioner's Reference New York Reinhold 1993 Garfinkel S and G Spafford Practical Inc Lamont Data Security Management 1995 UNIX Security Sebastopol CA O'Riley Associates 1991 Institute of Internal Auditors Research Foundation System Auditability and Control Report Altamonte Springs FL The Institute of Internal Auditors 1991 National Research Council Computers at Risk Safe Computing in the Information Age Washington DC National Academy Press 1991 Pfleeger Charles P Security in Russell Deborah Computing Englewood and G T Gangemi Sr Cliffs Computer Security NJ Prentice Hall 1989 Basics Sebastopol CA O'Reilly Associates Inc 1991 Ruthberg Z and Tipton H eds Auerbach Press 1993 Handbook of Information Security Management Boston MA Chapter 2 ELEMENTS OF COMPUTER SECURITY This handbook's general approach to computer security is based on eight major elements 1 Computer security should support the mission of the organization 2 Computer security 3 Computer security should be cost-effective 4 Computer security responsibilities and accountability should be 5 System owners have computer is an integral element of sound management made security responsibilities outside their explicit own organizations 6 Computer security requires a comprehensive and integrated approach 7 Computer security should be periodically reassessed 8 Computer security is constrained by societal factors Familiarity with these elements will aid the reader in better understanding how controls discussed in later sections support the overall computer security 2 1 Computer Security Supports the Mission The purpose of computer security is the security program goals of the Organization to protect an organization's valuable resources such as information hardware and software Through the selection and application of appropriate safeguards security helps the organization's mission by protecting its physical and financial resources reputation legal position employees and other tangible and intangible assets Unfortunately security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected bothersome rules and procedures on users managers and systems On - they are the contrary well-chosen security rules and procedures do not exist for their own sake put in place to protect important assets and thereby support the overall organizational mission Security therefore business having ought is good a means security to an is end and not an end to increase the firm's ability to make For example make in a private- sector a profit Security then a profit In a public-sector agency security secondary to the agency's service provided to service provided to the citizen in itself usually secondary to the need to citizens is usually Security then ought to help improve the To and Overview Introduction act on this managers need understand both mission and to their organizational how each This chapter draws upon the information OECD's Guidelines for the Security of Information Systems which was endorsed by the United system supports that mission After a It provides States for system's role has been defined the Accountability security requirements implicit in that role can be defined Security can then be explicitly stated in - The responsibilities and accountability of owners providers and users of information systems and other parties should be explicit terms of the Awareness organization's mission Owners providers users and other - parties should readily be able consistent with maintaining security to gain The roles appropriate knowledge of and be informed about the existence and and functions of a system may general extent of measures for the security of information systems not be constrained to a single organization In an interorganizational Ethics system each organization benefits from systems should be provided and used in such a manner that the securing the system For example for rights electronic commerce security system also benefits the is on interest of others are respected Measures practices and procedures for the relevant considerations and viewpoints the buyer's less likely to Proportionality the seller be used otherwise negatively affect the is - the security of information security of information systems should take account of and address all for fraud or to be unavailable or The reverse and legitimate Multidisciplinary controls to protect their resources buyer's system The Information systems and to be successful each of the participants requires security However good - - Security levels costs measures practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and severity probability and extent of potential to the harm seller Integration also true - Measures practices and procedures for the security of information systems should be coordinated and integrated with each Computer Security is an Integral Element of Sound Management 2 2 other and other measures practices and procedures of the organization so as to create a coherent system of security Timeliness - Public and private parties at both national and international levels should act in a timely coordinated manner to prevent and to respond to breaches of security of information Information and computer systems are systems often critical assets that support the mission of an organization Protecting them can be Reassessment - The security of information systems should be reassessed periodically as information systems and the as critical as protecting requirements for their security vary over time other organizational resources such as money physical assets or employees Democracy - The security of information systems should be compatible with the legitimate use and flow of data and information However including security considerations in the management of information and computers does not in a democratic society a iHHHBn HHHMHHaMaBnaaa completely eliminate the possibility that these assets will be harmed Ultimately organization managers have to decide what the level of risk they are willing to accept taking into account the 10 2 Elements of Computer Security cost of security controls As with many other resources the organizational boundaries When management of information and computers may transcend an organization's information and computer systems are linked with external systems management's responsibilities also extend beyond the organization This may management require that 1 know what general level or type of security is employed on the external system s or 2 seek assurance that the external system provides adequate security for the using organization's needs 2 3 Computer Security Should Be The costs and benefits of security should be carefully examined in both monetary monetary terms to ensure that the cost Cost-Effective and non- of controls does not exceed expected benefits Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity probability and extent of potential harm Requirements for security vary depending upon the In general security is particular computer system By a smart business practice investing in security measures an organization can reduce the frequency and severity of computer security-related losses For example an organization may estimate that it is inventory through fraudulent manipulation of improved access control system may its experiencing significant losses per year in computer system Security measures such as an significantly reduce the loss Moreover a sound security program can thwart hackers and can reduce the frequency of viruses Elimination of these kinds of threats can reduce unfavorable publicity as well as increase morale and productivity Security benefits however do have both direct and indirect costs Direct costs include purchasing installing and administering security measures such as access control software or fire-suppression systems Additionally security measures can sometimes affect system performance employee morale or retraining requirements All of these have to be considered addition to the basic cost of the control itself exceed the is initial cost of the control as In many cases these additional costs may in well often seen for example in the costs of administering an access control package Solutions to security problems should not be chosen directly or indirectly than simply tolerating the problem 11 if they cost more Introduction and Overview Computer Security 2 4 Responsibilities and Accountability Should Be Made Explicit The responsibilities 11 other parties and accountability 10 of owners providers and users of computer systems and concerned with the security of computer systems should be assignment of responsibilities may be internal to an organization or explicit may extend 12 The across organizational boundaries Depending on the size of the organization the program may be large or small even a collateral duty of another management official However even small organizations can prepare a document that states organization policy and makes explicit computer security responsibilities This element does not specify that individual accountability must be provided for on all systems For example many information dissemination systems do not require user identification and therefore cannot hold users accountable Systems Owners Have Security Responsibilities Outside Their 2 5 Own Organizations If a system has external users its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system minimum level is adequately secure This does not imply that all systems must meet any of security but does imply that system owners should inform their clients or users about the nature of the security In addition to sharing information about security organization managers should act in a timely coordinated manner to prevent and to respond to breaches of security to help prevent damage to 10 The difference between responsibility and accountability is not always clear In general responsibility is a broader The term implies a proactive stance on the part of the responsible responsible party and a given outcome The term accountability generally term defining obligations and expected behavior party and a causal relationship between the refers to the ability to hold people responsible for their actions Therefore people could be responsible for their actions but not held accountable For example an anonymous user on a system cannot be held accountable if a compromise occurs since The term other parties may include but is is responsible for not compromising security but the action cannot be traced to an individual not limited to executive management programmers maintenance providers information system managers software managers operations managers and network managers software development managers managers charged with security of information systems and system auditors 12 Implicit is entities and external information the recognition that people or other entities such as corporations or governments and accountability related many internal to computer systems These are Assignment of responsibilities is responsibilities have responsibilities and accountabilities are often shared among usually accomplished through the issuance of policy See Chapter 5 12 Elements of Computer Security 2 others 2 6 13 However taking such action should not jeopardize the security of systems Computer Security Requires a Comprehensive and Integrated Approach Providing effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security extends throughout the entire information life field This comprehensive approach cycle 2 6 1 Interdependencies of Security Controls To work effectively security controls often depend upon the proper functioning of other controls In fact many such interdependencies exist If appropriately chosen managerial operational and technical controls can work together synergistically On the other hand without a firm understanding of the interdependencies of security controls they can actually undermine one another For example without proper training package the user user may may on how and when to use a virus-detection apply the package incorrectly and therefore ineffectively As a result the mistakenly believe that their system will always be virus-free and spread a virus In reality these interdependencies are usually may inadvertently more complicated and difficult to ascertain 2 6 2 The Other Interdependencies on such factors as system management legal and management controls Computer security needs to effectiveness of security controls also depends issues quality assurance work with and internal traditional security disciplines including physical and personnel security Many other important interdependencies exist that are often unique to the organization or system environment Managers should recognize how computer security relates to other areas of systems and organizational management 2 7 Computer Security Should Be Periodically Reassessed Computers and the environments they operate and information in are in the systems risks associated requirements are ever-changing Many dynamic System technology and users data with the system and therefore security types of changes affect system security technological developments whether adopted by the system owner or available for use by others connecting to external networks a change in the value or use of information or the emergence of a new threat 13 Organisation for Economic Co-operation and Development Guidelines for the Security of Information Systems Paris 1992 13 Introduction and Overview In addition security discover new ways is never perfect when a system is implemented System users and operators to intentionally or unintentionally bypass or subvert security system or the environment can create new vulnerabilities Strict Changes adherence to procedures and procedures become outdated over time All of these issues make it in the is rare necessary to reassess the security of computer systems 2 8 Computer Security The ability factors is Constrained by Societal Factors of security to support the mission of the organization s may be limited such as social issues For example security and workplace privacy can by various conflict Commonly security is implemented on a computer system by identifying users and tracking their actions However expectations of privacy vary and can be violated by some security measures In some cases privacy may be mandated by law Although privacy is an extremely important societal issue information especially between a government and may need such as its to be modified to support a societal goal retinal scanning The underlying idea is may be considered invasive that security it is citizens not the only one is In addition in some authentication measures some environments and cultures measures should be selected and implemented with a recognition of the rights and legitimate interests of others This security needs of information The flow of another situation where security owners and users with many societal goals involve balancing the However rules and expectations change with regard to the appropriate use of security controls These changes may either increase or decrease security The relationship between security and norms societal is not necessarily antagonistic Security can enhance the access and flow of data and information by providing more accurate and reliable information and greater availability of systems Security can also increase the privacy afforded to an individual or help achieve other goals set by society References Organisation for Economic Co-operation and Development Guidelines for the Security of Information Systems Paris 1992 14 Chapter 3 ROLES AND RESPONSIBILITIES One fundamental issue that arises in discussions of computer security is Whose responsibility it Of course on a basic level the answer is simple computer security is the responsibility of everyone who can responsibilities affect the security is of a computer system However the specific duties and of various individuals and organizational vary considerably entities This chapter presents a brief overview of roles and responsibilities of the various officials and 14 organizational offices typically involved with computer security They include the following 1 15 groups senior management program functional managers application owners computer security management technology providers supporting organizations and users This chapter is intended to give the reader a basic familiarity with the major organizational elements that play a role in computer security detail nor will this chapter apply uniformly to It does not describe have unique characteristics and no single template can apply to particular are not likely to in this chapter may in Even at all responsibilities of each in Organizations like individuals all organizations all Smaller organizations in have separate individuals performing many of the functions described some larger organizations not be staffed with full-time personnel What some of the is important duties described in this chapter is that these functions be handled a manner appropriate for the organization As with 14 Note the rest of the handbook this chapter that this includes is not intended to be used as an audit guide groups within the organization outside organizations e g NIST and OMB are not included in this chapter 15 These categories are generalizations used to help aid the reader if they are not applicable to the reader's particular environment they can be safely ignored While functionality implied by them will often still all these categories may not exist in a particular organization the be present Also some organizations may For example the personnel office both supports the computer security program departures and is also a user of computer services 15 e g fall into more than one category by keeping track of employee Introduction 3 1 Senior and Overview Management Senior management has ultimate responsibility for the security of an organization's computer systems Ultimately responsibility for the success of an organization They lies with its establish the organization's security program and its MHHBM HHHaHHMHHi H senior managers overall computer program goals objectives and priorities in mission of the organization Ultimately the head of the organization that adequate resources are applied to the program and that also responsible for setting a good example it is is order to support the responsible for ensuring Senior managers are successful employees by following for their all applicable security practices 3 2 Computer Security Management The Computer Security Program Manager and support staff directs the organization's day-today management of its computer security program This individual is also responsible for coordinating all security-related interactions computer security program - as well 3 3 among organizational elements involved in the as those external to the organization Program and Functional Managers Application Owners Program or Functional Managers Application Owners e g are responsible for a procurement or payroll including the supporting computer system 16 program or function Their responsibilities include providing for appropriate security including management operational and technical controls These officials are usually assisted of the system This kind of support program implementation Also the is no by a technical staff that oversees the actual different for other staff workings members who work on other issues program or functional manager application owner frequently dedicated to that system particularly if it is is often aided by a Security Officer large or critical to the organization in developing and implementing security requirements 3 4 Technology Providers System Management System Administrators These personnel are the managers and technicians who design and operate computer systems They are responsible for implementing technical on computer systems and for being familiar with security technology that relates to their system They also need to ensure the continuity of their services to meet the needs of functional security 16 The functional manager application the concept of the data owner may not be owner may or may not be the data owner Particularly within the most appropriate since citizens ultimately own the data 16 the government 3 managers as well as analyzing technical They implications Roles and Responsibilities vulnerabilities in their systems and their security are often a part of a larger Information Resources Management IRM organization Communications Telecommunications office is This Staff normally responsible for providing What is a Program Functional Manager communications services including voice data video and fax service Their responsibilities for communication systems are systems management The systems staff officials may The term program functional manager or application owner may not be familiar or immediately apparent to all readers The examples provided similar to those that have for their not be separate from other technology service providers or the IRM below should help the reader better understand this important concept In reviewing these examples note office that computer systems often serve more than one group or function System Security Manager Officers Often assisting is system management officials in this effort Example A personnel system serves an entire 1 However the Personnel Manager would normally be the application owner This organization a system security manager officer responsible for day-to-day security applies even if the application is distributed so that implementation administration duties Although supervisors and clerks throughout the organization not normally part of the computer security use and update the system program management office this officer is responsible for coordinating the security efforts of A federal benefits system provides Example #2 monthly benefit checks to 500 000 works closely with system management personnel the computer security program manager and the program or Benefits functional manager's security officer In fact Example a particular system s This person depending upon the organization same individual as the manager's security may this may be the This person may is Program Manager 3 citizens done on a mainframe data is The The center the application owner A mainframe data processing organization supports several large applications mainframe director program or functional officer processing is The not the Functional Manager for any of the applications or not be a part of the organization's overall Example 4 A 100-person division has a diverse collection of personal computers security office work stations and minicomputers used for general office support Help Desk Whether or not a Help Desk with incident handling it Internet connectivity is tasked needs to be able to recognize security incidents and refer the caller to the appropriate person or organization for a response 17 and computer-oriented research The division director would normally be the Functional Manager responsible for the system Introduction and Overview 3 5 Supporting Functions The 17 security responsibilities of managers technology providers and security officers are Who Should Be the Accrediting Official supported by functions normally assigned to others Some of the more important of these are described The Accrediting Officials below have authority to accept are agency officials who an application's security safeguards and approve a system for operation Auditors are responsible for examining Audit systems to see whether the system is The Accrediting Officials must also be authorized to allocate resources to achieve acceptable security meeting stated to security requirements including system and remedy and security deficiencies Without this authority they cannot realistically take responsibility organization policies and whether security controls for the accreditation decision In general Accreditors are appropriate Informal audits can be performed are senior officials by those operating the system under review Function Manager Application Owner For some impartiality is or if important by outside auditors very sensitive applications the Senior Executive 18 Officer is appropriate as an Accrediting Official In general the Physical Security The physical security office who may be the Program or is more sensitive the application the higher the Accrediting Officials are in the organization usually responsible for developing and enforcing appropriate physical security controls in Where consultation with computer security management held personally liable for security inadequacies program and functional managers and privacy is a concern federal managers can be The issuing of the accreditation statement fixes security others as responsibility thus making explicit a responsibility appropriate Physical security should address not that only central computer installations but also backup consult the agency general counsel to determine their facilities personal security and office environments In the government might otherwise be implicit Accreditors should liabilities this office is often responsible for the Note processing of personnel background checks and that accreditation is a formality unique to the government security clearances Source organizations have a separate disaster recovery contingency planning In this case they are normally responsible for contingency staff planning for the organization as a whole and normally mangers application owners the computer security 17 102 m m mmmmmm mm a mm a ummm Disaster Recovery Contingency Planning Staff Some NISTFIPS work with program and staff and others to obtain additional Categorization of functions and organizations in this section as supporting of lessened importance Also note that this provided may list is functional is in no way meant to imply any degree not all-inclusive Additional supporting functions that can be include configuration management independent verification and validation and independent penetration testing teams 18 The term outside auditors includes both internal audit staff For auditors external to the organization as a whole and the organization's purposes of this discussion both are outside the management chain responsible for the operation of the system 18 3 Roles and Responsibilities contingency planning support as needed Quality Assurance Many organizations have established a quality assurance program to improve the products and services they provide to their customers working knowledge of computer security and how it The quality officer should have a can be used to improve the quality of the program for example by improving the integrity of computer-based information the availability of services and the confidentiality of customer information as appropriate Procurement The procurement office is responsible for ensuring that organizational procurements have been reviewed by appropriate officials The procurement office cannot be responsible for ensuring that goods and services meet computer security expectations because lacks the technical expertise Nevertheless this office should be knowledgeable about security standards and should bring Training Office An users operators and managers security program effective training if office in computer security In either case the rests with the training office or the two organizations should work together computer to develop an program is normally the a security background investigation personnel and security offices normally investigations computer to the attention of those requesting such technology organization has to decide whether the primary responsibility for training Personnel The personnel office determine them it The personnel office work may first is point of contact in helping managers necessary for a particular position closely on issues involving The background also be responsible for providing security-related exit procedures when employees leave an organization Risk Management Planning all Staff Some types of risks to which the organization computer security-related risk analyses for specific risks although power and environmental is may be exposed This function should include this office computer systems Physical Plant This office is normally focuses on macro issues Specific normally not performed by this office responsible for ensuring the provision of such services as electrical controls necessary for the safe and secure operation of an organization's systems Often they are life organizations have a full-time staff devoted to studying augmented by separate medical fire hazardous waste or safety personnel 3 6 Users Users also have responsibilities for computer security responsibilities are described Two kinds of users and their associated below Users of Information Individuals who use information provided by the computer can be 19 Introduction and Overview considered the consumers of the applications Sometimes they directly interact with the system e g to generate a report on screen discussed below Other times they on such material Some - in may its integrity and know what their as only read computer-prepared reports or only be briefed users of information Users of information are responsible for their representatives which case they are also users of the system may be very far removed from the computer system letting the functional mangers application owners or needs are for the protection of information especially for availability Users of Systems Individuals who directly use computer systems typically via a keyboard are responsible for following security procedures for reporting security problems and for attending required computer security and functional training References Wood Charles Cresson Security How to Achieve a Clear Definition of Responsibilities for Information DATAPRO Information Security Service 20 IS1 15-200-101 7 pp April 1993 Chapter 4 COMMON THREATS A BRIEF OVERVIEW Computer systems many threats that can inflict various types of damage This damage can range from errors harming database integrity are vulnerable to resulting in significant losses to destroying entire computer centers Losses can stem for example from the actions of fires supposedly trusted employees defrauding a system from outside hackers or from careless data entry clerks Precision in estimating computer security-related losses many is not possible because losses are never discovered and others are swept under the carpet to avoid unfavorable The publicity integrity effects of various threats varies considerably some affect the confidentiality or of data while others affect the availability of a system This chapter presents a broad view of the risky environment in which systems operate today threats and associated losses presented significance in the current in this The chapter were selected based on their prevalence and computing environment and their expected growth This list is not 19 some threats may combine elements from more than one area This overview of many of today's common threats may prove useful to organizations studying their own threat exhaustive and environments however the perspective of this chapter particular systems could be quite different To is very broad Thus threats against from those discussed here 20 know control the risks of operating an information system managers and users need to vulnerabilities of the system and the threats that may exploit them Knowledge of the the threat 21 environment allows the system manager to implement the most cost-effective security measures some cases managers may find it more cost-effective to simply tolerate the expected Such decisions should be based on the results of a risk analysis See Chapter 7 In 19 fall As is losses true for this publication as a whole this chapter does not address threats to national security systems outside of NIST's purview The term national security systems is defined in National Security Directive 7 5 90 as being those telecommunications and information systems operated by the U S Government its which 42 contractors or agents that contain classified information or as set forth in 10 U S C 2315 that involves intelligence activities involves cryptologic activities related to national security involves equipment that is command and control of military forces involves an integral part of a weapon or weapon system or involves equipment that is critical to the direct fulfillment of military or intelligence missions 20 A discussion of how threats vulnerabilities safeguard selection and risk mitigation are related is contained in Chapter 21 7 Risk Management Note to take that one protects against threats advantage of it little or nothing is that can exploit a vulnerability If a vulnerability exists but no threat exists gained by protecting against the vulnerability See Chapter Management 21 7 Risk Introduction 4 1 and Overview Errors and Omissions Errors and omissions are an important threat to data and system integrity These errors are caused not only by data entry clerks processing hundreds of transactions per day but also by types of users who create and edit data Many all programs especially those designed by users for personal computers lack quality control measures However even the most sophisticated programs cannot detect all types of input errors or omissions A sound awareness and training program can help an organization reduce the number and severity of errors and omissions Users data entry clerks system operators and programmers frequently some contribute directly or indirectly to security problems In as a data entry error or a programming make cases the error errors that is the threat such error that crashes a system In other cases the errors create vulnerabilities Errors can occur during all phases of the systems life cycle A long-term survey of computer-related economic losses conducted by Robert Courtney a computer security consultant and former member of the Computer System Security and Privacy Advisory Board found that 65 percent of losses to organizations were the figure was relatively consistent Programming and development result of errors and omissions 22 This between both private and public sector organizations errors often called bugs can range in severity from benign to House Committee on Science Space and Technology staff of the Subcommittee on Investigations and Oversight catastrophic In a 1989 study for the Bugs in the Program the summarized the scope and severity of this problem entitled in terms of government systems as follows As expenditures grow so do concerns about the reliability cost and accuracy of ever-larger and more complex software systems These concerns are heightened as computers perform more critical tasks where mistakes can cause financial turmoil accidents or in extreme cases death 23 Since the study's publication the software industry has changed considerably with measurable improvements principles in software quality Yet software horror stories and problems analyzed in the report still abound and the basic remain the same While there have been great 22 Computer System Security and Privacy Advisory Board 799 Annual Report Gaithersburg MD March 1992 p The categories into which the problems were placed and the percentages of economic loss attributed to each were 65% errors and omissions 13% dishonest employees 6% disgruntled employees 8% loss of supporting 18 infrastructure including power communications water sewer transportation water not related to fires and floods less than of various kinds and former employees 23 3% fire flood civil unrest outsiders including viruses espionage dissidents who have been away for more than six and strikes 5% and malcontents weeks House Committee on Science Space and Technology Subcommittee on Investigations and Oversight Bugs in the in Federal Government Computer Software Development and Regulation 1 01 st Cong 1 st sess 3 Program Problems August 1989 p 2 22 4 Threats A Brief Overview program quality as reflected in decreasing errors per 1000 lines of code the concurrent growth in program size often seriously diminishes the beneficial effects of these program quality enhancements improvements in and maintenance errors are another source of security problems For example an by the President's Council for Integrity and Efficiency PCIE in 1988 found that every one of the ten mainframe computer sites studied had installation and maintenance errors that Installation audit introduced significant security vulnerabilities 24 Fraud and Theft 4 2 Computer systems can be exploited for both fraud and theft both by automating traditional methods of fraud and by using new methods For example individuals may use a computer to skim small amounts of money from a large number of financial accounts assuming that small discrepancies may not be investigated Financial systems are not the only ones at risk Systems that control access to any resource are targets e g time and attendance systems inventory systems school grading systems and long-distance telephone systems Computer fraud and theft can be committed by insiders or outsiders Insiders users of a system are responsible for the majority of fraud Young A i e authorized 1993 InformationWeek Emst and study found that 90 percent of Chief Information Officers viewed employees need to know information as threats 25 who do not The U S Department of Justice's Computer Crime Unit contends that insiders constitute the greatest threat to computer systems 26 Since insiders have both access to and familiarity with the victim computer system including what resources controls and its flaws authorized system users are in a better position to can be both general users such as clerks or technical staff members employees with their knowledge of an organization's operations particularly if their access is may An commit it crimes Insiders organization's former also pose a threat not terminated promptly commit fraud and theft computer hardware and software may be vulnerable to theft For example one study conducted by Safeware Insurance found that $882 million worth of personal computers was lost due to theft in 1992 27 In addition to the use of technology to 24 President's Council on Integrity and Efficiency Review of General Controls in Federal Computer Systems October 1988 25 26 Bob Violino and Joseph C Panettieri Tempting Fate InformationWeek October 4 1993 p 42 Letter from Scott Charney Chief Computer Crime Unit U S Department of Justice to Barbara Guttman NIST July 29 1993 27 Theft Power Surges Cause Most PC Losses Infosecurity News September October 1993 13 23 Introduction and Overview Employee Sabotage 4 3 Common examples of computer-related employee sabota e include Employees are most familiar with their employer's computers and applications including knowing what actions might cause the most damage mischief or sabotage The downsizing of organizations in both the public individuals with organizational knowledge if system access retain potential system accounts are not deleted manner 28 in a destroying hardware or o o o o o entering data incorrectly facilities bombs that destroy programs planting logic or data and private sectors has created a group of who may o o e g crashing systems deleting data holding data hostage and changing data timely The number of incidents of employee sabotage is believed to be much smaller than the instances of theft but the cost of such incidents can be quite high Martin Sprouse author of Sabotage in the American Workplace reported that the motivation for sabotage can range from altruism to revenge As long will as people feel cheated bored harassed endangered or betrayed at work sabotage be used as a direct method of achieving job satisfaction - the kind that never has to get the bosses' approval 4 4 Loss of Physical The loss loss of fire the 29 and Infrastructure Support of supporting infrastructure includes power failures outages spikes and brownouts communications water outages and leaks sewer problems lack of transportation services flood civil unrest and strikes World Trade Center and Many broken water pipes These losses include such dramatic events as the explosion the Chicago tunnel flood as well as of these issues are covered in more common Chapter 15 events such as A loss of infrastructure often results in system downtime sometimes in unexpected ways For example employees not be able to get to work during at a winter storm although the computer system may may be functional 4 5 Malicious Hackers The term malicious hackers sometimes 28 29 called crackers refers to those who break into computers Charney Martin Sprouse Francisco ed Sabotage CA Pressure Drop in the American Workplace Anecdotes of Dissatisfaction Mischief and Revenge San Press 1992 p 7 24 Threats 4 without authorization They can include both outsiders and insiders activity is of the rise of hacker often attributed to increases in connectivity in both government and industry study of a particular Internet break Much A Brief Overview in at least The hacker one computer system found site i e One 1992 that hackers attempted to 30 once every other day threat should be considered in terms of past and potential future damage Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage the hacker problem activity is widespread and serious One example of malicious hacker that directed against the public telephone system is Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker ability to activity is not limited to toll fraud It also includes the break into telecommunications systems such as switches resulting in the degradation or disruption of system availability While unable to reach a conclusion about the degree of threat or risk these studies underscore the ability of hackers to cause serious damage The hacker threat often receives more attention than more common and dangerous U S Department of Justice's Computer Crime Unit suggests three reasons for o First the hacker threat is a more measures to reduce that ineffective against outsiders who The threats this recently encountered threat Organizations have always had to worry about the actions of their disciplinary 31 32 threat own employees and could use However these measures are are not subject to the rules and regulations of the employer o Second organizations do not browse some steal that hacker attacks o once is the purposes of a hacker some damage This have no Third hacker attacks identity know inability to identify purposes can suggest limitations make people feel vulnerable particularly unknown For example suppose a painter inside steals a piece - some hackers is because their hired to paint a house and of jewelry Other homeowners in the neighborhood may not feel threatened by this crime and will protect themselves by not doing business with that painter But 30 if a burglar breaks into the same house and Steven M Bellovin There Be Dragons Proceedings of the Third Usenix 31 steals the same UNIX Security Symposium National Research Council Growing Vulnerability of the Public Switched Networks Implication for National Security Emergency Preparedness Washington DC National Academy Press 1989 32 Report of the National Security Task Force November 1990 25 Introduction and Overview piece of jewelry the entire neighborhood may and vulnerable feel victimized 33 4 6 Industrial Espionage Industrial espionage government 34 is the act of gathering proprietary data from private companies or the for the purpose of aiding another company ies Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries Foreign industrial espionage carried out by is often referred to as economic espionage Since information is processed and on computer systems computer security can help protect against such threats it can do a government stored little however to reduce the threat of authorized employees selling that information on the rise A 1992 study sponsored by the American Society for Industrial Security ASIS found that proprietary business information theft had increased 260 percent since 1985 The data indicated 30 percent of the reported losses in 1991 and 1992 had foreign involvement The study also found that 58 percent of thefts were perpetrated by current 35 or former employees The three most damaging types of stolen information were pricing Industrial espionage is information manufacturing process information and product development and specification information Other types of information stolen included customer lists basic research sales data personnel data compensation data cost data proposals and strategic plans 36 Within the area of economic espionage the Central Intelligence Agency has stated that the main objective obtaining information related to technology but that information is on U S Government policy deliberations concerning foreign affairs and information on commodities interest rates and other economic factors is also a target technology-related information is the 37 The Federal Bureau of Investigation concurs main such as negotiating positions and other contracting data as a target 33 Charney 34 The government 35 36 The is included here because figures of 30 and Richard J it that target but also lists corporate proprietary information often is 38 the custodian for proprietary data e g patent applications 58 percent are not mutually exclusive Heffernan and Dan T Swartwood Trends in Competitive Intelligence Security Management 37 no 1 January 1993 pp 70-73 37 Robert M Gates testimony before the House Subcommittee on Economic and Commercial Law Committee on the Judiciary 38 29 April 1992 William the Judiciary S Sessions testimony before the House Subcommittee on Economic and Commercial Law Committee on 29 April 1992 26 4 4 7 Malicious Threats A Brief Overview Code Malicious code refers to viruses worms Trojan horses logic bombs and other uninvited Sometimes mistakenly associated only with personal computers malicious code can software attack other platforms A 1993 study of viruses found that while the number of known viruses increasing exponentially the virus incidents not is 39 is number of Malicious Software A Few Key Terms The study A code segment that replicates by attaching copies of itself to concluded that viruses are becoming Virus' more existing executables The new copy of the virus is executed when a user new host program The virus may include an additional payload that triggers when specific conditions are met For example some viruses display a text string on a particular date There are many prevalent but only gradually executes the The rate of incidents in PC-DOS virus medium to large North types of viruses including variants overwriting resident stealth and polymorphic American businesses appears to be approximately 1 per 1000 PCs per quarter the number of infected machines perhaps 3 or 4 times is this figure if we assume such businesses are Trojan Horse example an editing program for a multiuser system This program could be modified to randomly delete one of the users' files each time they perform a useful function editing but the deletions are unexpected and most weakly that at least protected against viruses 40 41 definitely undesired Worm Actual costs attributed to the presence it from system outages and time involved to execute The program creates a copy of itself and causes no user intervention is required Worms commonly use network services to propagate to other host systems staff Source in repairing the A self-replicating program that is self-contained and does not require a host program of malicious code have resulted primarily A program that performs a desired task but that also includes unexpected and undesirable functions Consider as an systems NIST Special Publication 800-5 Nonetheless these costs can be significant 4 8 Foreign In some Government Espionage instances threats posed by foreign government intelligence services may be present In addition to possible economic espionage foreign intelligence services 39 Jeffrey O Kephart 41 target unclassified and Steve R White Measuring and Modeling Computer Virus Prevalence Proceedings 1993 IEEE Computer Society Symposium on Research 40 may in Security and Privacy May 1993 14 Ibid Estimates of virus occurrences may not consider the strength of an organization's antivirus program 27 and Overview Introduction systems to farther their intelligence missions interest includes travel plans of senior manufacturing technologies satellite data investigative and security Some officials civil unclassified information that may be of defense and emergency preparedness personnel and payroll data and law enforcement Guidance should be sought from the cognizant security files office regarding such threats 4 9 Threats to Personal Privacy The accumulation of vast amounts of electronic information about individuals by governments credit bureaus and private companies combined with the ability of computers to monitor process and aggregate large amounts of information about individuals have created a threat to individual privacy The possibility that all of this information and technology modern information linked together has arisen as a specter of the Big Brother To guard age This is may be able to be often referred to as against such intrusion Congress has enacted legislation over the years such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988 which defines the boundaries of the legitimate uses of personal information collected by the government The threat to personal privacy arises from many sources In several cases federal and state employees have sold personal information to private investigators or other information brokers One such when case was uncovered in 1992 two dozen individuals engaged in Administration SSA computer the Justice Department announced the arrest of over buying and selling information from Social Security 42 files During the investigation auditors learned that SSA employees had unrestricted access to over 130 million employment records Another investigation found that 5 percent of the employees in tax records of friends relatives and celebrities create fraudulent tax refunds but As more of these cases come many were to light many about threats to their personal privacy 43 Some of the employees used By the information to acting simply out of curiosity individuals are A July becoming increasingly concerned 1993 special report taken by Louis Harris and Associates showing that concerned about personal privacy one region of the IRS had browsed through in in MacWorld cited polling data 1970 only 33 percent of respondents were 1990 that number had jumped to 79 percent While the magnitude and cost to society of the personal privacy threat are 44 difficult to gauge it is 42 House Committee on Ways and Means Subcommittee on Social Security Illegal Disclosure of Social Security Earnings Information by Employees of the Social Security Administration and the Department of Health and Human Services' Office of Inspector General Hearing 102nd Cong 2nd sess 24 September 1992 Serial 102-131 43 44 Stephen Barr Probe Finds IRS Workers Were 'Browsing' Charles Piller Special Report in Files The Washington Post 3 August 1993 Workplace and Consumer Privacy Under Siege MacWorld July 1993 pp 28 p Al 1-14 4 apparent that information technology is becoming powerful enough Threats A Brief Overview to warrant fears of both government and corporate Big Brothers Increased awareness of the problem is needed References House Committee on Science Space and Technology Subcommittee on Investigations and Oversight Bugs in the Program Problems in Federal Government Computer Software Development and Regulation 101st Congress 1st session August 3 1989 National Research Council Computers at Risk Safe Computing in the Information Age Washington DC National Academy Press 1991 National Research Council Growing Vulnerability of the Public Switched Networks Implication for National Security Emergency Preparedness Washington DC National Academy Press 1989 Neumann Peter G Computer-Related Risks Reading MA Addison- Wesley 1994 Schwartau W Information Warfare New York NY Thunders Mouth Press 1994 Rev 1995 Sprouse Martin ed Sabotage in the American Workplace Anecdotes of Dissatisfaction Mischief and Revenge San Francisco CA Pressure Drop Press 1992 29 II MANAGEMENT CONTROLS 31 Chapter 5 COMPUTER SECURITY POLICY In discussions of computer security the term policy has more than one meaning 45 Policy senior management's directives to create a computer security program establish assign responsibilities particular systems 46 The term policy is may refer to entirely different matters such as the an organization's e-mail privacy policy or fax security policy defined as the documentation of computer security decisions the types of policy described above r term policy manneT 47 means Policy - which covers In making these decisions managers face hard all and term computer security In this chapter the policy goals also used to refer to the specific security rules for is Additionally policy specific managerial decisions setting its is different things to different people is used in this chapter in t0 refer to important computer The a broad security- related decisions 'o i choices involving resource allocation competing objectives and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior Managers at all levels make choices that can result in policy with the scope of the policy's applicability varying according to the scope of the manager's authority In chapter we described use the term policy in a broad manner to encompass above - regardless of the level of manager who 45 them of the types of policy sets the particular policy Managerial decisions on computer security issues vary greatly kinds of policy this chapter categorizes all this To differentiate among various into three basic types o Program policy o Issue-specific policies address specific issues of concern to the organization There are variations in the is used to create an organization's computer security program use of the term policy as noted in a 1994 Office of Technology Assessment report Information Security and Privacy Network Environments Security Policy refers here to the statements made by on information access and safeguards Another Defense community and refers to the rules relating clearances of users to classification of in organizations corporations and agencies to establish overall policy meaning comes from the information In another usage security policies are used to refine and implement the broader organizational security policy 46 These are the kind of policies controls as well as 47 its that management and In general policy is set computer security experts refer to as being enforced by the system's technical operational controls by a manager However in some intraorganizational policy board 33 cases it may be set by a group e g an Management o Controls System-specific policies focus on decisions taken by particular system management to protect a 48 Procedures standards and guidelines are used to describe how these policies will be implemented within an organization See following box Tools to Implement Policy Standards Guidelines and Procedures Because policy is written offer users managers broad at a level organizations also develop standards guidelines and procedures that and others a clearer approach to implementing policy and meeting organizational goals Standards and guidelines specify technologies and methodologies to be used to secure systems Procedures are yet more detailed steps to be followed to accomplish particular security-related tasks Standards guidelines and procedures may be promulgated throughout an organization via handbooks regulations or manuals Organizational standards not to be confused with American National Standards FTPS Federal Standards or other national or international standards specify uniform use of specific technologies parameters or procedures when such uniform identification badges is use will benefit an organization Standardization of organizationwide a typical example providing ease of employee mobility and automation of entry exit systems Standards are normally compulsory within an organization Guidelines assist users systems personnel and others in effectively securing their systems The nature of guidelines however immediately recognizes that systems vary considerably and imposition of standards is not always achievable appropriate or cost-effective For example an organizational guideline may be used to help develop system-specific standard procedures Guidelines are often used to help ensure that specific security measures are not overlooked although they can be implemented and correctly so in more than one way Procedures normally assist in detailed steps to be followed e g preparing Some new complying with applicable security policies standards by users system operations personnel or others to and guidelines They are accomplish a particular task user accounts and assigning the appropriate privileges organizations issue overall computer security manuals regulations handbooks or similar documents These may mix policy guidelines standards and procedures since they are closely linked While manuals and regulations can serve as important tools it is often useful if they clearly distinguish between policy and its implementation This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization Effective policies ultimately result in the A system refers to the entire collection of processes both those performed manually and those using a computer manual data collection and subsequent computer manipulation which performs a function This includes both application systems and support systems such as a network e g 34 5 Computer Security Policy development and implementation of a better computer security program and better protectio n of systems and information These types of policy are described to aid the reader's understanding one categorizes 49 It is specific organizational policies into these three categories not important that it is more important to focus on the functions of each Program 5 1 Policy A management official issues and program policy its normally the head of the organization or the senior administration to establish or restructure the organization's official computer security program program and its scope basic structure This high-level policy defines the purpose of the within the organization assigns responsibilities to the computer security organization for direct program implementation Management IRM Information Resources Program policy as well as other responsibilities to related offices such as the organization and addresses compliance issues sets organizational strategic directions for security and assigns resources for its implementation 5 1 1 Basic Components of Program Components of program Policy policy should address Purpose Program policy normally includes a statement describing established This may integrity availability policy For instance why the program is being include defining the goals of the program Security-related needs such as and in confidentiality can form the basis of organizational goals established in an organization responsible for maintaining large mission-critical databases reduction in errors data loss data corruption and recovery might be specifically stressed In an organization responsible for maintaining confidential personal data however goals might emphasize stronger protection against unauthorized disclosure Scope Program policy should be clear as to which resources including facilities hardware and -- software information and personnel the computer security program covers In many cases the program will encompass all systems and organizational personnel but this is not always true In some instances it may be appropriate for an organization's computer security program to be more limited in scope 49 No standard terms exist for various topic types of policies These terms are used to aid the reader's understanding of this no implication of their widespread usage is intended 35 Management Responsibilities program is Controls Once established the computer security its management Program policy establishes the security program and assigns program management and supporting is normally assigned to either a newly created or existing office The 50 responsibilities responsibilities of officials and offices throughout the organization also need to be addressed including IRM owners users and the data processing or statement for example would distinguish line managers applications organizations This section of the policy between the responsibilities of computer services providers and those of the managers of applications using the provided services The policy could also establish operational security offices for major systems particularly those at high risk or critical to organizational operations It also can serve as the basis for establishing most employee accountability At the program elements and policy level responsibilities should be specifically assigned to those organizational officials responsible for the implementation and continuity of the computer security 51 Compliance Program policy typically will address two compliance issues General compliance to ensure meeting the requirements to establish a program and 1 the responsibilities assigned therein to various organizational components Often an oversight office e g the Inspector General monitoring compliance including management's priorities for the The use of specified 2 how is assigned responsibility for well the organization is implementing program penalties and disciplinary actions Since the security policy is a high-level document specific penalties for various infractions are normally not detailed here instead the policy may authorize the creation of compliance structures that include violations and specific disciplinary action s 50 The program management the particular operating security structure should be organized to best address the goals of the program include management and coordination of security-related resources 51 6 to interaction with diverse to upper management See Computer Security Program Management In assigning responsibilities responsibility in reality 52 program and respond and risk environment of the organization Important issues for the structure of the computer communities and the ability to relay issues of concern trade-offs and recommended actions Chapter 52 The need to obtain it is necessary to be specific such assignments as computer security mean no one has is everyone's specific responsibility guidance from appropriate legal counsel is critical when addressing issues involving penalties and disciplinary action for individuals The policy does not need to restate penalties already provided for by law although they can be listed if the policy will also be used as an awareness or training document 36 5 Computer Security Policy Those developing compliance policy should remember that violations of policy can be unintentional on the part of employees For example nonconformance can often be due of knowledge or training to a lack 5 2 Issue-Specific Policy Whereas program policy is intended to address the broad organizationwide computer security program issue-specific policies are developed to focus on areas of current relevance and concern Management may and sometimes controversy to an organization example to issue a policy on how A policy could also be issued for example technology whose security vulnerabilities are Issue-specific policies may it appropriate for the organization will approach contingency planning centralized vs decentralized or the use of a particular systems find also be appropriate still on methodology for managing risk to the appropriate use of a cutting-edge largely when new unknown within the organization issues arise such as when implementing a recently passed law requiring additional protection of particular information Program policy usually broad enough that it policies are likely to require is does not require much modification over time whereas issue- specific more frequent revision as changes in technology and related factors take place In general for issue-specific and system-specific policy the issuer global controversial or resource-intensive the 5 2 1 Example Topics more is a senior official the more senior the issuer for Issue-Specific Policy Both new technologies and the appearance of new threats often require the creation of issue-specific policies There are many areas for which issue-specific policy may be Two appropriate wmmmmmmmmmMmm ns mmmmmmmmmmmmm examples are explained below Internet Access Many organizations are looking at the Internet as a means for expanding then- research opportunities and communications Unquestionably connecting to the Internet yields many benefits include who - and some will disadvantages Some issues an Internet access policy may address have access which types of systems may be connected to the network what types of information may be transmitted via the network requirements for user authentication for Internet-connected systems and the use of firewalls and secure gateways 53 Examples presented required by all in this section are not all-inclusive nor meant to imply that policies organizations 37 in each of these areas are Management Controls E-Mail Privacy Users of computer e-mail systems have come to rely upon that service for informal and others However since the system typically owned by include approach to risk is confidential proprietary information unauthorized o oftw management monitor the employee's e-mail for to various reasons e g to be sure that for business purposes only or distributing suspected of it is On at acqujsition of softwarCi doing computer homei bringing used malicious code and physical emergencies viruses sending the other hand users of privacy TM TM TM TM TM 111 may have area addresses what in this be accorded e-mail and the circumstances under which will files responsibility for correctness of data suspected an expectation of privacy similar to that accorded U S mail Policy level from outside the in disks encryption of files and e-mail rights of privacy workplace access to other employees' they are if offensive e-mail or disclosing organizational secrets management and contingency planning protection of the employing organization from time-to-time may wish Other potential candidates for issue-specific policies communication with colleagues it may or may not be read 5 2 2 Basic Components of Issue-Specific As suggested into its for program Policy policy a useful structure for issue-specific policy is to break the policy basic components Issue Statement To formulate a policy on an issue managers relevant terms distinctions and conditions included justification for the policy - which can be It is first must define the issue with any also often useful to specify the goal or helpful in gaining compliance with the policy For example an organization might want to develop an issue-specific policy on the use of unofficial software which might be defined to mean any software not approved purchased screened managed and owned by the organization Additionally the applicable distinctions and conditions might then need to be included for instance for software privately owned by employees but approved for use work and for software owned and used by other businesses under contract to at the organization Statement of the Organization 's Position Once the issue is stated and related terms and conditions are discussed this section is used to clearly state the organization's position i e management's decision on the issue To continue the previous example this would whether use of unofficial software as defined is prohibited in all or some mean stating cases whether there are further guidelines for approval and use or whether case-by-case exceptions will be granted whom and on what Applicability basis how when to whom and to what a particular policy could be that the hypothetical policy on unofficial software organization's means Issue-specific policies also need to include statements of applicability This clarifying where own by on-site resources and is applies For example intended to apply only to the employees and not to contractors with offices 38 it at other 5 locations Computer Security Policy Additionally the policy's applicability to employees travelling and or working at home who need among different sites to transport and use disks at multiple sites might need to be clarified Roles and Responsibilities The assignment of roles and responsibilities issue-specific policies For example permits unofficial software privately employees to be used at work with if owned by mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm the appropriate Some Helpful such permission would need to be stated Policy who would be aids implementation of policy organization Management presentations forums and newsletters increase organization's users in regard to unofficial software appropriate it may be can be used to familiarize new employees with the organization's employees feel inundated with policies directives organizational personnel policies and practices guidelines and procedures When is used they should be coordinated with may The organization's policy the vehicle for emphasizing management's commitment to computer security and making clear their expectations for employee performance appropriate officials and offices and perhaps It policies Computer security policies should be introduced in a manner that ensures that management's unqualified support is clear especially in environments where and the and should be consistent with units The awareness program can effectively notify users of new consequences of such behavior Penalties may be employee bargaining visibility detail the infractions that are unacceptable explicitly stated videos computer security training and policies It also some Visibility to ensure panel discussions guest speakers question answer approved software is used on organizational computer resources and perhaps for monitoring to describe in by helping policy is fully communicated throughout the responsible for ensuring that only Compliance For some types of policy Hints on Policy To be effective policy requires visibility who by position has such Likewise it would need to be clarified stipulate authority also usually included in the policy approvals then the approval authority granting would is also be behavior and accountability desirable to task a specific office within the To be effective organization to monitor compliance policy should be consistent with other existing directives laws organizational culture Points of Contact guidelines procedures and Supplementary mission Information For any issue- specific policy the It and the organization's overall should also be integrated into and consistent with other organizational policies e g appropriate individuals in the organization to personnel policies contact for further information guidance and coordinate policies during development with other compliance should be indicated Since positions organizational offices tend to change less often than the people occupying them specific positions i manager for other issues administrator or security it might be a program iiiim nummm this is to mum may be preferable as the point of contact For example for line i n i One way to help ensure facility some issues the point of contact might be a manager technical support person system representative Using the above example once more employees would need to know whether the point of contact for questions and procedural information would be their immediate superior a system administrator or a computer security official 39 Management Controls The Guidelines and procedures often accompany policy issue-specific policy on unofficial software for example might include procedural guidelines for checking disks brought to work that had been used by employees at other locations 5 3 System-Specific Policy from a broad level usually However they do not provide sufficient information or direction for example to be used in establishing an access control list or in training users on what actions are permitted System-specific policy fills this need It is much more focused since it addresses only one system Program policy and encompassing the Many issue-specific policy both address policy entire organization security policy decisions may apply only at the system level and may vary from system to system within the same organization While these decisions may appear to be too detailed to be policy they can be extremely important with significant impacts on system usage and security These types of decisions can be made by a management administrator 54 official not by a technical system The impacts of these decisions however are often analyzed by technical system administrators To develop a cohesive and comprehensive set of security policies officials may use a System-specific security policy includes two components security objectives and operational management process that derives security rules from security goals It is helpful to o r consider a two-level model for system security i i policy security objectives security rules security rules - u is often accompanied by implementing procedures and guidelines i and operational which together comprise the system- specific policy Closely linked and often implementation of the policy in however difficult to distinguish is the technology 5 3 1 Security Objectives Sample Security Objective The first step in the management process is to define security objectives for the specific auu u iusystem Although process may J o this r j start with ' an analysis of the need for integrity availability and confidentiality stop there A security objective more specific 54 It is it it should not needs to how the system is is in the accounting and personnel departments are authorized to provide or modify J information used in payroll processing o TM mSBmmSmmWmWSm should be concrete and well defined important to remember that policy system mission and 0nl y individuals It also should be stated so that not created in a vacuum For example intended to be used Also users 40 may it is critical play an important role it is clear to understand the in setting policy 5 that the objective achievable This process will also is Computer Security Policy draw upon other applicable organization policies Security objectives consist of a series of statements that describe meaningful actions about explicit resources These objectives should be based on system functional or mission requirements but should state the security actions that support the requirements Development of system-specific policy unlikely that all will require management to make trade-offs since it is Management will face desired security objectives will be able to be fully met cost operational technical and other constraints 5 3 2 Operational Security Rules After management determines the security objectives the rules for operating a system can be laid out for example to define authorized and unauthorized modification Who by job category organization placement or name can do what e g modify delete to which specific classes wmm and records of data and under what Sample Operational Security Rule conditions Personnel clerks The degree of specificity needed more easier -i j u i detailed the rules are it is violated to up know when one It is also up to i weekly specialists may update salary information F u employees may update their own records u o to for addresses and telephone numbers Personnel The operational security rules varies greatly j may update fields attendance charges to annual leave employee for a point the No o has been ii m mmmmmmmmmmmmmmmmmmmmmmmmmmt a point easier to automate policy enforcement However overly detailed rules may make the job of instructing a computer to implement them difficult or computationally complex In addition to deciding the level of detail documenting the system-specific easier it is policy management should decide the degree of formality in Once again the more formal the documentation the to enforce and to follow policy On the other hand policy at the system level that is too detailed and formal can also be an administrative burden In general good practice suggests a reasonably detailed formal statement of the access privileges for a system Documenting access controls policy will make it substantially easier to follow and to enforce See Chapters 10 and 17 Personnel User Issues and Logical Access Control Another area that normally requires a detailed and formal statement is the assignment of security responsibilities Other areas that should be addressed are the rules for system usage and the consequences of noncompliance Policy decisions in other areas of computer security such as those described in this handbook are often documented in the risk analysis accreditation statements any controversial atypical or uncommon policies will also 41 or procedural manuals However need formal statements Atypical Management policies Controls would include any areas where the system policy from normal practice within the organization either is different more or from organizational policy or less stringent for a typical policy contains a statement explaining the reason for deviation The documentation from the organization's standard policy 5 3 3 System-Specific Policy Implementation Technology plays an important - but not sole technology used to enforce policy is it is role in enforcing system-specific policies important not to neglect nontechnology- based methods For example technical system-based controls could be used to reports to a particular printer have to be in When limit the printing However corresponding physical of confidential security measures would also place to limit access to the printer output or the desired security objective would not be achieved Technical methods frequently used to implement system-security policy are likely to include the use of logical access controls However there are other automated means of enforcing or supporting security policy that typically supplement logical access controls For example technology can be used to block telephone users from calling certain numbers Intrusiondetection software can alert system administrators to suspicious activity or can take action to stop the activity Personal computers can be configured to prevent booting from a floppy disk Technology-based enforcement of system-security policy has both advantages and disadvantages A computer system properly designed programmed installed configured and maintained consistently enforces policy within the follow all Management procedures neglected In addition deviations such deviations may be occurs frequently system analysts if fail difficult to 55 computer system although no computer can force users controls also play an important role - and should to not be from the policy may sometimes be necessary and appropriate implement easily with some technical controls This situation implementation of the security policy to anticipate contingencies is too rigid which can occur when the and prepare for them 5 4 Interdependencies Policy is related to many of the topics covered in this handbook Program Management Policy is used to establish an organization's computer security program and is therefore closely tied to program management and administration Both program and system-specific policy may be established in any of the areas covered in this handbook For may wish to have a consistent approach to incident handling for all example an organization 55 Doing all of these things properly ability to enforce is system- specific policy is its unfortunately the exception rather than the rule Confidence in the system's closely tied to assurance See Chapter 9 Assurance 42 5 systems - and would issue appropriate program policy to do that its so On Computer Security Policy the other hand it may decide applications are sufficiently independent of each other that application managers should deal with incidents on an individual basis Access Controls System-specific policy For example it may is often implemented through the use of access controls be a policy decision that only two individuals in an organization are authorized to run a check-printing program Access controls are used by the system to implement or enforce this policy Links to Broader Organizational Policies This chapter has focused on the types and components of computer security However policy it is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms mail policy would probably be tied to may paper documents For example an organization's e- e g its broader policy on privacy Computer security policies also be extensions of other policies such as those about appropriate use of equipment and facilities 5 5 Cost Considerations A number of potential costs are associated with developing and implementing computer security policies upon Overall the major cost of policy is the cost of implementing the policy and the organization For example establishing a through policy does not come its impacts computer security program accomplished at negligible cost Other costs may be those incurred through the policy development process Numerous administrative and management clearing disseminating implementation may activities and publicizing may be policies required for drafting reviewing coordinating In many organizations successful policy require additional staffing and training - and can take time In general the costs to an organization for computer security policy development and implementation will depend upon how extensive the change needed management to achieve a level of risk acceptable to References Howe D Information System Security Engineering Cornerstone the 15th National Computer Security Conference Baltimore MD to the Future Proceedings Vol 1 October 244-251 Fites P and M Kratz Policy Development Information Systems Security New York NY Van Nostrand Reinhold 1993 pp 41 1-427 Reference 43 A of 15 1992 pp Practitioner's Management Lobel J Controls Establishing a System Security Policy Foiling the System Breakers New York NY McGraw-Hill 1986 pp 57-95 Menkus B Concerns in Computer Security Computers and Security 1 1 3 1992 pp 211-215 Office of Technology Assessment Federal Policy Issues and Options Defending Secrets New Locks for Electronic Information Washington DC U S Congress Office of Technology Assessment 1987 pp 151-160 Sharing Data Office of Technology Assessment Major Trends in Policy Development Defending Secrets Sharing Data New Locks and Keys for Electronic Information Washington DC U S Congress Office of Technology Assessment 1987 p 131-148 O'Neill M and F Henninge Jr Understanding ADP System and Network Security Considerations and Risk Analysis ISSA Access 5 4 1992 pp 14-17 Peltier Thomas Designing Information Security Policies That Get Results Infosecurity News 4 2 1993 pp 30-31 on Management Improvement and the President's Council on Integrity and Model Framework for Management Control Over Automated Information System Washington DC President's Council on Management Improvement January 1988 President's Council Efficiency Smith the J ACM Privacy Policies and Practices Inside the Organizational Maze Communications of 36 12 1993 pp 104-120 Buzzword Computer Security Policy ' In Proceedings of the 1991 IEEE Symposium on Security and Privacy Oakland CA May 1991 pp 219-230 Sterne D F Wood On the Charles Cresson Designing Corporate Information Security Policies Reports on Information Security April 1992 44 DATAPRO Chapter 6 COMPUTER SECURITY PROGRAM MANAGEMENT Computers and the information they process are their mission and business functions security as a management 56 It critical to therefore many makes sense organizations' ability to perform To do they would any other valuable asset view computer computer resources as that executives issue and seek to protect their organization's this effectively requires developing of a comprehensive management approach This chapter presents an organizationwide OMB Circular A-130 Management of Federal approach to computer security and discusses its important management function 57 Information Resources requires that federal agencies Because estab ish c mputer security programs organizations differ vastly in size complexity management styles and culture possible to describe one ideal security program to many However it is this chapter does describe some of the features and issues common federal organizations 6 1 Structure of a Many computer Computer Security Program security programs that are distributed throughout the organization elements performing various functions While computer security function who was a Hn nBHHBBH not computer in many this organizations available in the organization to have different approach has benefits the distribution of the is haphazard usually based upon history do what when the need arose i e Ideally the distribution of computer security functions should result from a planned and integrated management philosophy Managing computer security at multiple levels brings many benefits Each level contributes to the overall computer security program with different types of expertise authority and resources In general higher-level officials such as those at the headquarters or unit levels in the agency described above better understand the organization as a whole and have more authority other hand lower-level officials at the computer facility and applications levels are more On the familiar with the specific requirements both technical and procedural and problems of the systems and 56 This chapter is primarily directed at federal agencies which are generally very large and complex organizations This chapter discusses programs which are suited to managing security in such environments They may be wholly inappropriate for smaller organizations or private sector firms 57 This chapter addresses the management of security programs not the various activities such as risk analysis or contingency planning that make up an effective security program 45 Management Controls Sources of Some Requirements for Federal Unclassified Computer Security Programs Executive Laws Orders NIST Standards Guidelines Federal Inform alien Policy Regulations Circulars Federal Informauon Resources Management Training Regulations OPM Regulation Processing Standards I 1 Agency Management I Agency Computer Security Program A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations Figure 6 illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security While a full discussion of each is outside the scope of this chapter it is important to realize that a program does not operate in a vacuum federal organizations are constrained -- by both statute and regulation -- in a number of ways 1 Figure 6 1 the users The levels of computer security program management should be complementary each can help the other be more effective Since many organizations have at least two levels of computer security management this chapter computer security program management into two levels the central level and the system Each organization though may have its own unique structure The central computer divides level 46 Computer Security Program Management 6 Sample Federal Agency Management Structure Figure 6 2 shows a several large management computer facilities level the unit level the structure based on that of an actual federal agency The agency consists of three major units each with running multiple applications This type of organization needs to manage computer security computer facility level at the agency and the application eve Figure 6 2 program can be used to address the overall management of computer security within an organization or a major component of an organization The system-level computer security program addresses the management of computer security for a particular system security 6 2 Central Computer Security Programs The purpose of a central computer security program 47 is to address the overall management of Management Controls computer security within an organization In the federal government the organization could consist of a department agency or other major operating unit As with the performed management of all in many practical resources central computer security management can be and cost-effective ways The importance of sound management cannot be overemphasized There is also a downside to centrally managed computer security more widely programs Specifically they present greater risk that errors in judgement will be propagated throughout the organization As they to consider the full impact of available options strive to when meet their objectives establishing their managers need computer security programs 6 2 1 Benefits of Central Computer Security Programs A central security program should provide two quite distinct types of benefits o Increased efficiency and o the ability to provide centralized enforcement and oversight Both of these implemented economy of security throughout benefits are in keeping with the purpose of the in OMB Circular A- 1 the organization and Paperwork Reduction Act as 30 The Paperwork Reduction Act establishes a broad mandate for agencies to perform their information management activities in an efficient effective and economical manner Agencies shall assure an adequate level of security for all systems whether maintained in-house or commercially 6 2 2 Efficient agency automated information 58 Economic Coordination of Information A central computer security program helps to coordinate related resources throughout the organization and manage effective use of security- The most important of these resources are normally information and financial resources Sound and timely information is necessary for managers to accomplish their tasks effectively However most organizations have trouble collecting information from myriad sources and effectively processing and distributing it within the organization This section discusses some of the sources and efficient uses of computer security information Within the federal government 58 many organizations such as the Office of OMB Circular A- 130 Section 5 Appendix III Section 3 48 Management and Computer Security Program Management 6 Budget the General Services Administration the National Institute of Standards and Technology and the National Telecommunications and Information Administration provide information on computer telecommunications or information resources This information includes security- A portion of the information is channelled related policy regulations standards and guidance through the senior designated official for Management Regulation FIRMR each agency see Federal Information Resources Part 201-2 Agencies are expected to have mechanisms in place to distribute the information the senior designated official receives Computer societies security-related information and groups These groups although some is also available will often from private and federal professional provide the information as a public service private groups charge a fee for it However even for information that is free or inexpensive the costs associated with personnel gathering the information can be high Internal security-related information such as which procedures were effective virus infections security problems and solutions need to be shared within an organization Often this information is specific to the operating environment and culture of the organization A computer security program administered at the organization level can provide a way to collect the internal security-related information and distribute Sometimes an organization can also share this Another use of an effective conduit of information program's security ability to influence external program office it as needed throughout the organization information with external groups See Figure 6 3 is to increase the central and internal policy decisions can represent the entire organization then computer security If the central its advice heeded by upper management and external organizations However to be computer more is likely to be effective there should be excellent communication between the system-level computer security programs and the organization level For example into one site the central if an organization were considering consolidating or considering distributing the processing currently program could provide initial done at level site mainframes personnel proposed change - information that would have know to be obtained the security from the system- computer security program Besides being able to help an organization use information more cost effectively a computer security program can better spend its An organization's components may develop specialized expertise which can be shared also help an organization it scarce security dollars UNIX and have developed skills in UNIX security A second operating unit with only one UNIX machine may concentrate on MVS primarily use reducing the need to contract out repeatedly for similar services The computer security program can help among may components For example one operating unit Organizations can develop expertise and then share at opinions about the security implications However to speak authoritatively central program personnel would have to actually impacts of the one its central security and rely on the skills for its facilitate information sharing 49 first unit's UNIX machine knowledge and Management Controls Some Principal Security Program Interactions Figure 6 3 shows a simplified version of the flow of computer security -related information among various parts of an organization and across different organizations Figure 6 3 Personnel expertise at the central computer security program For example they could sharpen analysis to help the entire organization level their skills perform these 50 can also develop could in their own areas of contingency planning and risk vital security functions Computer Security Program Management 6 Besides allowing an organization to share expertise and therefore save money a central computer security program can use its position to consolidate requirements so the organization can negotiate discounts based on volume purchasing of security hardware and software It also facilitates such activities as strategic planning and organizationwide incident handling and security trend analysis 6 2 3 Central Enforcement and Oversight Besides helping an organization improve the economy and efficiency of its computer security program a centralized program can include an independent evaluation or enforcement function to ensure that organizational subunits are cost-effectively securing resources and following applicable policy While the Office of the Inspector General OIG and external organizations such as the General Accounting Office GAO also perform a valuable evaluation role they operate outside the regular management channels Chapters 8 and 9 further discuss the role of independent audit There are several reasons for having an oversight function within the regular management channel First computer security resources This is is an important component in the management of organizational a responsibility that cannot be transferred or abandoned Second maintaining an internal oversight function allows an organization to find and correct problems without the potential embarrassment of an different GAO audit or investigation problems from those that an outside organization may understands its assets threats systems additionally people 6 3 IG or may have Third the organization find may find The organization and procedures better than an external organization a tendency to be more candid with insiders Elements of an Effective Central Computer Security Program For a central computer security program to be effective it should be an established part of organization management If system managers and applications owners do not need to consistently interact with the security program then management's commitment to it can become an empty token of upper security Program Management Function A well-established program will have a program manager recognized within the organization as the central computer security program manager In addition the program will be staffed with able personnel and links will be established between the program management function and computer security personnel in other parts of the organization A computer security program is a complex function that needs a stable base from which to direct the management of such security resources as information and money The Stable benefits of an oversight function cannot be achieved if the computer security program recognized within an organization as having expertise and authority 51 is not Management Controls Stable Resource Base A well-established program will have a stable resource base in terms of personnel funds and other support Without a stable resource base it is impossible to plan and execute programs and projects effectively Existence of Policy Policy provides the foundation for the central computer security program means for documenting and promulgating important decisions about computer security A central computer security program should also publish standards regulations and guidelines that implement and expand on policy See Chapter 5 and is the Published Mission and Functions Statement computer security program A published mission statement into the unique operating grounds the central environment of the organization The statement clearly establishes the function of the computer security program and defines responsibilities for both the computer security program and other related programs and Without such a statement it is entities impossible to develop criteria for evaluating the effectiveness of the program Long-Term Computer Security Strategy A well-established program explores term strategies to incorporate computer security into the next generation technology Since the computer and telecommunications field moves and develops long- of information rapidly it is essential to plan for future operating environments Compliance Program A central computer security program needs to address compliance with national policies and requirements as well as organization-specific requirements National requirements include those prescribed under the Computer Security Act of 1987 A- 130 the FIRMR and Intraorganizational Liaison Many offices within an organization can affect computer Example security The Information Resources Management organization and physical Agency IRM two obvious examples However computer security often overlaps with other offices such as safety Reduction Act and An relationships in in strategic and tactical OMB Circular A- 130 Security should be an important component of these plans The security needs of the agency should be and quality assurance internal control or the Office of the Inspector General engage technology in accordance with the Paperwork reliability program should have established offices planning for both information and information security office are with these groups OMB Circular Federal Information Processing Standards in the information effective reflected technology choices and the information needs of the agency should be reflected in the security program order to integrate i mmmmmmmammmmmmmmmmmmmmmmmmmmmmmm computer security into the organization's management The relationships should encompass more than just the sharing of information the offices should influence each other Liaison with External Groups There are many sources of computer 52 security information such as Computer Security Program Management 6 NIST's Computer Security Program Managers' Forum computer security clearinghouse and the Forum of Incident Response and knowledgeable of and will take Security Teams FIRST An established program advantage of external sources of information It will be will also be a provider of information 6 4 System-Level Computer Security Programs While the central program addresses the entire spectrum of computer security for an organization system-level programs ensure appropriate and cost-effective security for each system 59 This includes influencing decisions about what controls to implement purchasing and installing technical controls day-to-day computer security administration evaluating system and responding to security problems It encompasses all vulnerabilities the areas discussed in the handbook System-level computer security program personnel are the local advocates for computer security The system security manager officer raises the issue of security with the cognizant system manager and helps develop solutions for security problems For example has the application owner made clear the system's security requirements Will bringing a new function online affect security and if so how Is the system vulnerable to hackers and viruses Has the contingency plan been tested Raising these kinds of questions will force system managers and application owners 6 5 to identify and address their security requirements Elements of Effective System-Level Programs Like the central computer security program many factors influence computer security program addresses some Security Plans is Many how successful a system-level of these are similar to the central program This section additional considerations The Computer Security Act mandates that agencies and privacy plans for sensitive systems These plans ensure that develop computer security each federal and federal interest system has appropriate and cost-effective security System-level security personnel should be position to develop and implement security plans Chapter 8 discusses the plans in System-Specific Security Policy system-specific basis The Many computer more in security policy issues need to be addressed on a issues can vary for each system although access control and the designation of personnel with security responsibility are likely to be needed for all systems A cohesive and comprehensive set of security policies can be developed by using a process that 59 As is setting level implied by the name an organization will typically have several system-level computer security programs In up these programs the organization should carefully examine the scope of each system-level program System- computer security programs may address for example the computing resources within an operational element a major application or a group of similar systems either technologically or functionally 53 a detail Management Controls derives security rules from security goals as discussed in Chapter 5 Life Cycle system's Management As discussed life in Chapter attention to security and that accreditation who must be managed throughout a is understand the system its made with accomplished The system-level computer Integration With System Operations of people 8 security This specifically includes ensuring that changes to the system are cycle mission its security technology and its program should consist operating environment management of the system Effective integration will ensure that system managers and application owners consider security in the planning and operation of the system The system security manager officer should be able to Effective security management participate in the selection usually needs to be integrated into the and implementation of appropriate technical controls and security procedures and should understand system vulnerabilities Also the system-level computer security program should be capable of responding to security problems in a timely For large systems such as a mainframe data center the security program manner will often include a manager and several staff positions in such areas as access control user administration and contingency and disaster planning For small systems such as an officewide local-area-network LAN the LAN administrator may have Separation From Operations A natural tension often exists between computer security and adjunct security responsibilities components -- which tend to be far larger and therefore more influential -- seek to resolve this tension by embedding the computer security program in computer operations The typical result of this organizational strategy is a computer security program that lacks independence has minimal authority receives little management operational elements In attention many instances operational and has few resources As early as 1978 one of the principal basic weaknesses level programs face this in federal problem most GAO identified this organizational mode as agency computer security programs 60 System- often This conflict between the need to be a part of system management and the need for independence The basis of many of the solutions is a link between the computer security program and upper management often through the central computer security program A key has several solutions requirement of this setup management Another is the existence of a reporting structure that does not include system possibility is for the computer security program to be completely many and systems management staff independent of system management and to report directly to higher management There are hybrids and permutations such as co-location of computer security but separate reporting and supervisory structures Figure 6 4 presents one example of 60 General Accounting Office Automated System Security Personal and Other Sensitive Data -- Federal Agencies Should Strengthen Safeguards Over GAO Report LCD 78-123 Washington DC 54 1978 6 Example Computer Security Program Management of Organizational Placement of Computer Security Functions Figure 6 4 illustrates one example of the placement of the computer security program-level and system-level functions The program-level function is located within the IRM organization and sets policy for the organization as a whole system-level function located within the Data Center provides for day-to-day security at that not pictured other system-level programs may exist for other facilities e g site placement of the computer security program within a typical Federal agency implication that this structure is ideal is intended 55 that 61 The although under another Assistant Secretary Figure 6 4 No Note Management 6 6 Central Controls and System-Level Program Interactions A system-level program that is not program may have difficulty influencing significant areas affecting security The system-level computer security program implements the policies guidance and regulations of the central computer security program The system-level office also learns from the information disseminated by the central program and uses the experience and expertise of the entire organization The system-level computer security program further distributes information to systems management as appropriate integrated into the organizational Communications however should not be programs inform the central Analyzing this just one way System-level computer security and solutions office about their needs problems incidents information allows the central computer security program to represent the various systems to the organization's management and to external agencies and advocate programs and policies beneficial to the security of all the systems 6 7 Interdependencies The general purpose of the computer security program to improve security causes with other organizational operations as well as the other security controls discussed handbook The central or system computer security program will address it to overlap in the most controls at the policy procedural or operational level Policy Policy is issued to establish the computer security program The central computer security program s normally produces policy and supporting procedures and guidelines concerning general and organizational security issues and often issue-specific policy However the system-level computer security program normally produces policy for that system Chapter 5 provides additional guidance Management The process of securing a system over its life cycle system-level computer security program Chapter 8 addresses these issues Life Cycle Independent Audit The independent audit function described complement a central in is the role of the Chapters 8 and 9 should computer security program's compliance functions 6 8 Cost Considerations This chapter discussed how an organizationwide computer security program can manage security more effectively The cost considerations for a systemcomputer security program are more closely aligned with the overall cost savings in having resources including financial resources level security 56 Computer Security Program Management 6 The most significant direct cost programs make frequent and of a computer security program effective use personnel In addition of consultants and contractors funds for training and for with personnel other levels of computer security management at is travel oversight information collection many A program also needs and dissemination and meetings References Federal Information Resources Management Regulations especially 201-2 General Services Administration Washington DC General Accounting Office Automated Systems Security- Federal Agencies Should Strengthen Safeguards Over Personal and Other Sensitive Data GAO Report LCD 78-123 Washington DC 1978 General Services Administration Information Resources Security What Every Federal Manager Should Know Washington DC Helsing C M Swanson and M Todd Executive Guide to the Protection of Information Resources Special Publication 500-169 Gaithersburg MD National Institute of Standards and Technology 1989 Helsing C M Swanson and M Todd Management Guide for the Resources Special Publication 500-170 Gaithersburg MD Protection of Information National Institute of Standards and Technology 1989 Managing an Organization Wide Security Program Computer Security Institute San Francisco CA course Office of Management and Budget Guidance for Preparation of Security Plans for Federal Computer Systems That Contain Sensitive Information OMB Bulletin 90-08 Washington DC 1990 Office of Management and Budget Circular Owen Management of Federal Information Resources OMB A- 130 R Jr Security Management Using the Quality Approach Proceedings of the 1 5th National Computer Security Conference Baltimore Spiegel L Good LAN MD Vol 2 1992 pp 584-592 Security Requires Analysis of Corporate Data Infoworld 15 52 1993 p 49 57 Management Controls U S Congress Computer Security Act of 1987 Public 58 Law 100-235 1988 Chapter 7 COMPUTER SECURITY RISK MANAGEMENT Risk is the possibility of something adverse happening Risk management is the process of assessing risk taking steps to reduce risk to an acceptable level and maintaining that level of Though perhaps manage carrying an umbrella when rain is not always aware of buckling a car safety belt things to do rather than trusting to it individuals memory fall into the risks risk every day Actions as routine as forecast or writing down a list of purview of risk management People recognize various threats to their best interests and take precautions to guard against them or to minimize their effects Both government and industry routinely manage a myriad of risks For example to maximize the return on their investments businesses must often decide between aggressive but high-risk and slow-growth but more secure investment plans These Management is concerned with many types of risk Computer security risk management addresses risks which from an organization's use of information mmmi m mmmmi mmmmii mmm mmim decisions require analysis of risk relative to potential benefits consideration of alternatives and finally implementation of what management determines to be the best course of action While there are many models and methods for management there are several basic activities and processes that should be Risk assessment often produces an important side performed In discussing risk management organization as risk analysts try to figure out risk is important to recognize its basic is always - indepth knowledge about a system and an it how systems and functions are interrelated most fundamental assumption computers cannot ever be fully secured There benefit mmmmmm a m umm m risk from a trusted employee who defrauds the system or a fire that destroys critical management is made up of two primary and one underlying activities risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying whether it is resources Risk one 7 1 Risk Assessment Risk assessment the process of analyzing and interpreting activities 1 risk is comprised of three basic determining the assessment's scope and methodology 2 collecting and analyzing 59 Management Controls 62 data and 3 interpreting the 7 1 1 Determining the Assessment's Scope and Methodology The first that will risk analysis results step in assessing risk is to identify the system under consideration the part of the system be analyzed and the analytical method including The assessment may be focused on parts of a of detail and formality A risk assessment can focus on many different areas is known to be high Different system may be analyzed in greater or level certain areas where either the degree of risk unknown its such is technical and operational controls to be as new designed into a application the use of telecommunii telecommunications a data center or an entire or lesser detail Defining the scope and organization boundary can help ensure a cost-effective wmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mm assessment Factors that influence scope include what phase of the in more detail life cycle a system is might be appropriate for a new system being developed than for an existing system undergoing an upgrade Another factor is the relative importance of the system under examination the more essential the system the more thorough the risk analysis should be third factor may be The addition of new new operating system risk analysis installing a A the magnitude and types of changes the system has undergone since the last interfaces would warrant a Methodologies can be formal or informal detailed or different scope than would simplified high or low level quantitative computationally based or qualitative based on descriptions or rankings or a combination of these How No single method is best for all users and all environments methodology are defined will have major consequences in terms of amount of effort spent on risk management and 2 the type and usefulness of the assessment's results The boundary and scope should be selected in a way that will produce an outcome that is clear specific and useful to the system and environment under scrutiny the boundary scope and 1 the total 7 1 2 Collecting and Analyzing Data Good documentation Risk has many different components later risk assets threats vulnerabilities safeguards j i-l j T-Lconsequences and likelihood This n examination normally includes gathering data of risk assessments will make assessments less time consuming and wiU hel P ex Plain security decisions were made uestion arises wh P TM 1 if a about the threatened area and synthesizing 62 Many different terms are used to describe risk management and NIST Risk Management Framework based on the 60 its elements The definitions used in this paper are Computer Security Risk Management 7 and analyzing the information to make Because taken to it is possible to collect it much more information gathering and limit management effort organization i e information than can be analyzed steps need to be This process analysis should focus on those areas that result is called screening in the greatest A risk consequence to the can cause the most harm This can be done by ranking threats and A risk management risk separately useful methodology does not necessarily need to analyze assets each of the components of For example assets consequences or threats likelihoods may be analyzed together Asset Valuation These include the information software personnel hardware and physical assets such as the computer facility The value of an near-term impacts and long-term consequences of its asset consists of its intrinsic value and the compromise Consequence Assessment The consequence assessment estimates the degree of harm or loss that could occur Consequences refers to the overall aggregate harm that occurs not just to the nearterm or immediate impacts While such impacts often result in disclosure modification destruction or denial of service consequences are the more lost business failure to injury or loss significant long-term effects such as perform the system's mission loss of reputation violation of privacy of life The more severe the consequences of a threat the greater the risk to the system and therefore the organization A threat is an entity or event with the potential to Threat Identification cal threats are errors fraud disgruntled employees fires harm the system Typi water damage hackers and viruses Threats should be identified and analyzed to determine the likelihood of their occurrence and their potential to harm assets In addition to looking at big-ticket threats the risk analysis should investigate areas that are poorly understood new or undocumented If a system less effort to identify threats has a well-tested physical access control facility may be warranted for it than for unclear untested software backup procedures The on those threats most likely to occur and affect important assets In some cases determining which threats are realistic is not possible until after the threat analysis is begun Chapter 4 provides additional discussion of today's most prevalent threats risk analysis should concentrate Safeguard Analysis A safeguard is any action that reduces a system's vulnerability to a threat device procedure technique or other measure Safeguard analysis should include an examination of the effectiveness of the existing security measures could be implemented in the system however this management process 61 is It can also identify new safeguards that normally performed later in the risk Management Controls Vulnerability Analysis A vulnerability is a condition or weakness in or absence of security procedures technical controls physical controls or other controls that could be exploited by a threat Vulnerabilities are often analyzed in terms of missing safeguards contribute to risk because they The may allow a threat to interrelationship of vulnerabilities threats of these interrelationships are pictured in and assets to alter data Vulnerabilities the system is critical to the analysis of risk Some Figure 7 1 However there are other interrelationships such as the presence of a vulnerability inducing a employee might be tempted harm when threat For example a normally honest the employee sees that a terminal has been left logged on Threats Vulnerabilities Safeguards and Assets ASSETS Data Facilities Hardware Software VULNERABILITY THREAT VULNERABILITY Q- - O- w Figure 7 1 Safeguards prevent threats from harming assets However if an appropriate safeguard which can be exploited by a threat thereby puttting assets at risk is not present a vulnerability exists Figure 7 1 Likelihood Assessment Likelihood happening A likelihood is an estimation of the frequency or chance of a threat assessment considers the presence tenacity and strengths of threats as 62 Computer Security Risk Management 7 well as the effectiveness of safeguards or presence of vulnerabilities In general historical many information about experience in this area fires or floods -- is threats is weak particularly with regard to human is Some important stronger of the data or the analysis threat data Care needs to be taken may be -- in especially threats thus on physical threats such as using any statistical threat data the source inaccurate or incomplete In general the greater the likelihood of a threat occurring the greater the risk 7 1 3 Interpreting Risk Analysis Results 63 Risk Analysis Results The risk assessment is used to support two related functions the acceptance of risk and the selection of cost-effective controls To Risk analysis results are typically represented quantitatively and or qualitatively Quantitative measures may be expressed in terms of reduced accomplish these functions the risk expected monetary losses such as annualized loss assessment must produce a meaningful output expectancies or single occurrences of loss that reflects what is Qualitative measures are descriptive expressed in truly important to the terms such as high medium or low or rankings on a organization Limiting the risk interpretation activity to the way most that the risk scale of significant risks is 1 to 10 another management process can be focused to reduce the overall effort while still yielding useful results If risks are interpreted consistently across an organization the results can be used to prioritize Risk management can help a manager select the most systems to be secured appropriate controls however that instantly eliminates it is wand The not a magic all difficult issues quality of the output depends on the quality of the 7 2 Risk Mitigation input and the type of analytical methodology used In some cases Risk mitigation involves the selection and implementation of security controls to reduce risk to a level acceptable to how risk assessment is amount of work required particular threat or the anticipated effectiveness of a is proposed safeguard For complete information the sequence of identifying boundaries is quite natural has greater differ The process of risk flexibility is all practical purposes never available uncertainty always present Despite these drawbacks risk management provides a very powerful is tool for analyzing the risk associated with computer systems mitigation and the sequence achieve especially for such variables as the prevalence of a conducted analyzing input and producing an output to achieving high-quality input may be impossible management within applicable constraints Although there flexibility in the high-quality input will be too costly In other cases will more depending on organizational culture and the purpose of the risk management activity 63 Although these activities are discussed The NIST Risk Management Framework refers to risk interpretation as risk measurement The term was chosen to emphasize the wide variety of possible outputs from a risk assessment 63 interpretation u s cu C E s- 5 O c e fi U E XO co co cu C O 00 w oO CO a E B oo E CO X cu cU 00 fi co O CO TJ PM R Select C E -c o- 2-5 C o o Ris cu s W fi s U 22 - o Safeguar ccept 'C X 00 'EUR- CO CO a3 o E o u OS co j o c P e o Ui o co CU fi o o r- o o J u j O T3 CO 1 op 2 oo - -- -I-I 3 tt-l CO CO 2 c c to CD B S CO D 00 - a o co c E H co co CO J i CO or C CO CO cu CO CO CO f J s -ss 22 co u O Cu s fi cu B3 cu u CO -a O o-- co CO -c 31 o S B a B oo o-- cu b o --c P Computer Security Risk Management 7 in a specific sequence they need not be performed in that sequence In particular the selection of safeguards and risk acceptance testing are likely to be performed simultaneously 7 2 1 Selecting 64 Safeguards What Is a What Analysis A primary function of computer security risk management the identification of is A what if analysis looks at the costs and benefits of various combinations of controls to determine the optimal appropriate controls In designing or reviewing the security of a system it combination for a particular circumstance In may be obvious that some controls should be added e g because they are required by It may that other controls too expensive considering both monetary and nonmonetary particular For example factors may be immediately that closing to the security risks of using passwords identification also be just as obvious may be it apparent to a manager and locking the door to a room that network equipment and authentication mechanisms or just quo is examined The system in months What if passwords are strengthened to a needed control be required to use a at the door would be too expensive and not user-friendly place puts minimal demands upon users and system administrators but the agency has had three hacker break-ins in the last six be required while posting a guard They may wish to strengthening their password procedures First the status contains local area is Personnel numeral or other nonalphabetic character in their password There are no direct monetary expenditures but staff and administrative overhead is areas for which it will not monetary Even considering only issues such as whether a control would cost more than the loss it is supposed to prevent the selection of controls is not simple However in selecting appropriate controls managers need to consider many factors including What if stronger identification and authentication technology organizational policy legislation o and regulation safety reliability and This An initial it often viewed as a that would be even if implement a password were useless Direct costs may be training program would be required $17 500 The agency estimates however that at a cost this of would prevent virtually all break-ins security personnel use the results of this make a recommendation to their management who then weighs the costs and benefits takes into analysis to officer account other constraints system performance is to estimated at $45 000 and yearly recurring costs at $8 000 quality requirements 64 used The agency may wish based passwords so obtained solution o is stronger safeguards in the form of one-time cryptographic- Computer o number of successful hacker break-ins to three or four per year be obvious what kind of controls are appropriate e g increased Estimates however are that this will reduce the In every assessment of risk there will be may change passwords more frequently or may training and replacing forgotten passwords many simple consider replacing the password system with stronger law or because they are clearly costeffective this example which addresses only one control suppose that hacker break-ins alert agency computer security personnel circular iterative process 65 e g budget and selects a Management Controls requirements timeliness accuracy the life and completeness requirements cycle costs of security measures technical requirements and cultural constraints One method of selecting safeguards uses a what if analysis With this method the effect of adding various safeguards and therefore reducing vulnerabilities is tested to see what difference each makes with regard to cost effectiveness and other relevant factors such as those above Trade-offs among the factors can be seen The listed analysis of trade-offs also supports the acceptance of residual risk discussed below This method typically involves multiple iterations of the risk analysis to see how the proposed changes affect the risk analysis result Another method various levels is to categorize types of safeguards of risk and recommend implementing them for For example stronger controls would be implemented on high-risk systems than on low-risk systems This method normally does not require multiple iterations of the risk analysis As with other risk areas aspects of risk management screening can be used to concentrate on the highest- For example once could focus on high dollar loss or loss of 7 2 2 life risks with very severe consequences such as a very or on the threats that are most likely to occur Accept Residual Risk At some point management needs to decide given the kind and severity of remaining if risks the operation of the computer system Many managers do not fully understand computer- is acceptable based risk for several reasons 1 the type of risk may be different from risks previously associated with the organization or function 2 the risk may be technical and difficult for a lay person to understand or 3 the proliferation and decentralization of computing power can make it difficult to identify key assets that may be at risk Risk acceptance those addressed like the selection of safeguards should take into account various factors besides assessment In addition risk acceptance should take into account the in the risk limitations of the risk assessment See the section below on uncertainty Risk acceptance linked to the selection of safeguards since in some cases risk may have is to be accepted because safeguards are too expensive in either monetary or nonmonetary factors Within the federal government the acceptance of risk is closely linked with the authorization to use a computer system often called accreditation discussed in Chapters 8 and is operational or remain so risk management is 9 Accreditation management resulting in a formal approval for the system to become As discussed earlier in this chapter one of the two primary functions of the acceptance of risk by the interpretation of risk for the purpose of risk acceptance 66 7 7 2 3 Computer Security Risk Management Implementing Controls and Monitoring Effectiveness Merely selecting appropriate safeguards does not reduce risk those safeguards need to be Moreover to continue to be effective risk management needs to be an effectively implemented ongoing process This requires a periodic assessment and improvement of safeguards and analysis of risks overall The Chapter 8 discusses how management of a system See risk periodic risk assessment especially the management process normally produces is diagram on page 83 security requirements that are used to design purchase build or otherwise obtain safeguards or implement system changes risk management into the life cycle process is re- an integral part of the discussed in Chapter The integration of 8 7 3 Uncertainty Analysis Risk management often must rely on speculation best guesses incomplete data While uncertainty is always present it should not invalidate a risk assessment Data and models while and many unproven assumptions The uncertainty analysis attempts to document imperfect can be this good enough for a given purpose mBa mmmmBmmammmmmamsBsssammmmmmmnmm SO that the risk management results can be used knowledgeably There are two primary sources of uncertainty in the risk management process 1 a lack of confidence or precision in the risk management model or methodology and 2 a lack of sufficient information to determine the exact value of the elements of the risk model such as threat frequency safeguard effectiveness or consequences The risk management framework presented in this chapter is a generic description of risk management elements and their basic relationships For a methodology to be useful it should further refine the relationships and offer some means of screening information In this process assumptions may be made that do not accurately reflect the user's environment This is especially evident in the case of safeguard selection where the number of relationships among assets threats and vulnerabilities can become unwieldy The data are another source of uncertainty Data sources statistical data and expert analysis Statistics and expert analysis authoritative than they really are example the sample accounted for may be or the results insufficient data When There are many potential problems with statistics For may not be properly many cases there may be too small other parameters affecting the data may be stated in a misleading manner In expert analysis be recognized that the projection explicitly articulated come from two can sound more for the risk analysis normally is is used to make projections about future events subjective and by the expert 67 is it should based on assumptions made but not always Management Controls 7 4 Interdependencies Risk management touches on every control and every chapter most closely related to perform risk to life cycle management is management and in this handbook the security planning process often discussed in organizational policy and organizational oversight These issues are discussed in Chapters 5 and is It is however The requirement an issue for 6 7 5 Cost Considerations The building blocks of risk management presented in this chapter can be used creatively to develop methodologies that concentrate expensive analysis work where management can become expensive very quickly selected It is if it is most needed Risk an expansive boundary and detailed scope are very important to use screening techniques as discussed in this chapter to limit the The goals of risk management should be kept in mind as a methodology is selected The methodology should concentrate on areas where identification of risk and the overall effort or developed selection of cost-effective safeguards are needed The cost of different methodologies can be significant high-medium-low ranking can often provide all A back-of-the-envelope analysis or the selection of expensive safeguards or the analysis of systems with more in-depth analysis may be However the information needed especially for unknown consequences warranted References Caelli William NY Stockton Carroll J M Dennis Longley and Michael Shain Information Security Handbook Managing MD Jaworski Lisa Risk A Computer-Aided Strategy Boston MA Butterworths 1984 National Institute of Standards and Technology October 1989 Tandem Threat Scenarios A Risk Assessment 16th National Computer Security Conference Baltimore MD Approach Proceedings of the Vol 1 1993 pp 155-164 Katzke Stuart A Framework for Computer Security Risk Management 8th Asia Pacific Information Systems Control Conference Proceedings EDP Auditors Association Inc Singapore October 12-14 1992 Levine York Guide for Selecting Automated Risk Analysis Tools Special Publication 500-174 Gilbert Irene Gaithersburg New Press 1991 M Audit Serve Security Evaluation Criteria Audit Vision 2 2 1992 pp 29-40 68 7 Computer Security Risk Management National Bureau of Standards Guideline for Automatic Data Processing Risk Analysis Federal Information Processing Standard Publication 65 August 1979 National Institute of Standards and Technology Guideline for the Analysis of Local Area Network Security Federal Information Processing Standard Publication 191 November 1994 O'Neill M and F Henninge Jr Understanding ADP System and Network Security Considerations and Risk Analysis ISSA Access 5 4 1992 pp 14-17 Management Model Builders Workshop Proceedings 4th International Computer Security Risk University of Maryland National Institute of Standards and Technology College Park MD August 6-8 1991 Proceedings 3rd International Computer Security Risk Management Model Builders Workshop Los Alamos National Laboratory National Institute of Standards and Technology National Computer Security Center Santa Fe New Mexico August 21-23 1990 Proceedings 1989 Computer Security Risk Management Model Builders Workshop AIT Corporation Communications Security Establishment National Computer Security Center National Institute of Standards and Technology Ottawa Canada June 20-22 1989 Proceedings 1988 Computer Security Risk Management Model Builders Workshop Martin Marietta National Bureau of Standards National May Computer Security Center Denver Colorado 24-26 1988 Spiegel L Good LAN Security Requires Analysis of Corporate Data Infoworld 15 52 1993 p 49 Wood C Building Security Into Your System Reduces the Risk of a Breach LAN Times 10 3 1993 p 47 Wood C Wiley et al Sons Computer Security A Comprehensive 1987 69 Controls Checklist New York NY John Chapter 8 SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE Like other aspects of information processing systems security planned and managed throughout a computer system's design implementation and operation to disposal occur during a system's together 66 It life 65 life is cycle Many most effective and from initial efficient if planning through security-relevant events and analyses This chapter explains the relationship among them and how they fit also discusses the important role of security planning in helping to ensure that security issues are addressed comprehensively This chapter examines 8 1 o system security plans o the o the benefits of integrating security into the o techniques for addressing security in the components of the computer system Computer Security Act is system's life cycle cycle computer system life spirit is addressed in is to improve computer security paperwork In keeping with and a comprehensive manner throughout a For federal systems the Computer Security Act of 1987 of the Act cycle cycle requirement for the preparation of computer security plans for and life Issues for Federal Systems used to help ensure that security Planning life this intent the Office all sets forth a statutory sensitive systems in the federal 67 The intent government not to create of Management and Budget OMB and NIST have guided agencies toward a planning process that emphasizes good planning and management of computer security within an agency and for each computer system As emphasized chapter 65 in this computer security management should be a part of computer systems management The A computer system refers to a collection of processes hardware and software that perform a function This includes applications networks or support systems 66 Although any point 67 An this chapter addresses a life cycle process that starts with system initiation the process can be initiated at in the life cycle organization will typically have distinct plan exist for many computer every physical system e g security plans PCs Plans may However it is not necessary that a separate and address for example the computing resources within an operational element a major application or a group of similar systems either technologically or functionally 71 Management Controls computer security plan benefit of having a distinct is to ensure that computer security is not overlooked The Act required NIST and NSA the submission of plans to the National Security Agency The purpose of the system security plan and comment a process for review plan for meeting those requirements the Act requires agencies to security plan obtain independent review of computer security plans This review external as may be deemed appropriate by The system may also be viewed as documentation of the structured process of planning adequate cost- internal or effective security protection for a system the OMB Bulletin 90-08 agency A to provide requirements of the subject system and the agency's which has been completed Current guidance on implementing is a basic overview of the security and privacy typical plan briefly describes the important security considerations for the system and provides references to more detailed documents such as system security plans contingency plans training programs accreditation statements incident handling plans or audit results This enables the plan to be used as a management plan may tool without requiring repetition of existing documents For smaller systems the include all security documentation As with other security documents if a plan addresses specific vulnerabilities or other information that could compromise the system be kept private It should it also has to be kept up-to-date 8 2 Benefits of Integrating Security in the Computer System Life Cycle Although a computer security plan can be developed for a system cycle the recommended approach up the plan system any point at at in the life Different people can provide security input draw the beginning of the computer is throughout the to life system technical life cycle cycle of a system including the accrediting official data users systems users and staff Security like other aspects of a computer system is best managed j if planned for throughout the computer system life cycle It has long been a tenet of the computer community that a feature in a system after initial it it costs ten times more to add has been designed than to include the feature in the system at the design phase The principal reason for implementing security during a system's development is that costs of doing so it It is more difficult to implement also tends to disrupt it later as is usually reflected in the higher ongoing operations Security also needs to be incorporated into the later phases of the computer system life cycle to help ensure that security keeps up with changes in the system's environment technology procedures and personnel including the purchase of It also ensures that security new components is considered or the design of in system upgrades new modules Adding new security controls to a system after a security breach mishap or audit can lead to haphazard security that 72 8 can be more expensive and less effective that security that can also significantly degrade system performance anticipate the whole array of problems may that is Life Cycle Security already integrated into the system Of course arise during a system's lifetime Therefore generally useful to update the computer security plan at least at the end of each phase in the many cycle and after each re-accreditation For systems it may be It virtually impossible to it is useful to update the plan it is life more often management also helps document security-relevant decisions in addition to helping assure management that security is fully considered in all phases This documentation benefits system management officials as well as oversight and independent audit groups System management personnel use documentation as a self-check and reminder of why decisions were made so that the impact of changes in the environment can be more easily assessed Oversight Life cycle and independent audit groups use the documentation management has done an adequate job and in their to highlight areas reviews to verify that system where security may have been overlooked This includes examining whether the documentation accurately reflects system is how the actually being operated Within the federal government the Computer Security Act of 1987 and instructions provide specific requirements for computer security documentation that helps ensure that security is development but also throughout the requirements of Appendix III to rest OMB implementing These plans are a form of considered not only during system design and of the Circular plans its life cycle A- 130 Plans can also be used to be sure that as well as other applicable requirements have been addressed 8 3 Overview of the Computer System Life Cycle There are many models for the computer system life cycle but most contain five basic phases as pictured in Figure 8 1 o o Initiation During the the system is initiation phase the need for a system is expressed and the purpose of documented Development Acquisition During this phase the system is designed purchased programmed developed or otherwise constructed This phase often consists of other defined cycles such as the system development cycle or the acquisition cycle o Implementation After o Operation Maintenance During initial system this testing the system is installed or fielded phase the system performs its work The system is almost always modified by the addition of hardware and software and by numerous other events 73 Management o Disposal is Controls The computer system is completed Each phase can apply to an entire system a new component or module or a system upgrade As with other aspects of systems management the level of detail and analysis for each activity described here by many factors including system cost and Many size is Many different life acquisition and information complexity life new components the organization might purchase Moreover the computer system life example consider the information longer than the for thirty years cycles sensitivity people find the concept of a computer system much life HMBMMMMnBUHMBMB aMnMaMBHMHNB determined cycle confusing because life organization could develop a system using a system development used cycles are associated with computer systems including the system development occur within the broad framework of the entire computer system life new computer system disposed of once the transition to a life cycle itself life cycle is cycle life cycle using the acquisition many cycles For example an During the system's life cycle merely one component of other life Normally information such as personnel data of one computer system If For cycles is an employee works for an organization and collects retirement for another twenty the employee's automated personnel record will probably pass through many different organizational company In addition parts of the information will also be used computer systems owned by the in other computer systems such as those of the Internal Revenue Service and the Social Security Administration 8 4 Security Activities in the Computer System This section reviews the security activities that arise cycle in Life Cycle 6X each stage of the computer system life See Figure 8 1 8 4 1 Initiation The conceptual and early design process of a system involves the discovery of a need for a new system or enhancements to an existing system early ideas as to system characteristics and proposed functionality brainstorming sessions on architectural performance or functional system aspects and environmental financial political or other constraints At the same time the basic security aspects of a system should be developed along with the early system design This can be done through a 68 sensitivity assessment For brevity and because of the uniqueness of each system none of these discussions can include the details of all possible security activities at any particular life cycle phase 74 u ea u O 1 2 3-9 U 5 ai s 3 w 3 u 00 s 3 - s 4H Q o a a s J3 e u o u eo 9 a C o o 90 3 s S o S Ow 3 u o c 3 s Q w OS d Q u as a e I o S o 3 5 to u i-H o 'C 00 w o o o o a e 2 oa 8 a o o u -J a Vi u w H 00 I Management Controls Conducting a Sensitivity Assessment 8 4 1 1 The definition of sensitive Sensitive is Some r The itself is sensitive because 17 processed and the system data confidential u sensitivity of both the information to be u u often misconstrued u be kePl Much more data however is sensitive o o uV u j because its integrity or availability A sensitivity assessment looks at the ru is synonymous with important or valuable i The computer Security Act and must be assured OMB Circular A-l 30 assessment should consider legal implications clearly state that information is sensitive if its organization policy including federal and unauthorized disclosure modification agency policy if a federal system and the ril integrity or unavailability functional needs of the system J Sensitivity J and confidentiality Such loss of In general the more important a system is to the mission e r t o oo of the agency the more sensitive it is is normally expressed in terms of integrity availability i e would harm the agency i factors as the importance of the system to the organization's mission and the consequences of unauthorized modification unauthorized disclosure or unavailability of the system or data need to be To address these types of issues the people who use or own examined when assessing sensitivity the system or information should participate in the assessment A sensitivity assessment should answer the following questions What information is handled by the system What kind of potential damage could occur through error unauthorized disclosure or modification or unavailability of data or the system What laws or regulations affect security e g the Privacy Act or the Fair Trade Practices Act To what threats Are there is the system or information particularly vulnerable significant environmental considerations e g hazardous location of system What are the security-relevant characteristics of the user community e g level of technical sophistication and training or security clearances What internal security standards regulations or guidelines apply to this system The sensitivity assessment starts an analysis of security that continues throughout the life cycle The assessment helps determine if the project needs special security oversight if further analysis 76 is 8 needed before committing to begin system development cost or in rare instances Life Cycle Security to ensure feasibility at a reasonable whether the security requirements are so strenuous and costly that system development or acquisition will not be pursued The sensitivity assessment can be included with the system initiation documentation either as a separate document or as a section of another planning document The development of security features procedures and assurances described in the next section builds on the sensitivity assessment A sensitivity assessment can also be performed during the planning stages of system upgrades either upgrades being procured or developed in house In this case the assessment focuses for on the affected areas If the upgrade significantly affects the original assessment steps can be taken on the rest of the system For example some controls become unnecessary to analyze the impact are new controls needed Will 8 4 2 Development Acquisition For most systems the development acquisition phase is more complicated than the initiation phase Security activities can be divided into three parts o determining security features assurances and operational practices o incorporating these security requirements into design specifications and o actually acquiring them These divisions apply to systems that are designed and built in house to systems that are purchased and to systems developed using a hybrid approach During this phase technical staff and system sponsors should actively work together to ensure that the technical designs reflect the system's security needs As with development and incorporation of other system requirements this process requires an open dialogue between technical staff and system sponsors It is important to address security requirements effectively in synchronization with development of the overall system 8 4 2 1 Determining Security Requirements During the first part of the development acquisition phase system planners define the requirements of the system Security requirements should be developed at the same time These requirements can be expressed as technical features e g access controls assurances background checks for system developers or operational practices System e g security requirements like other system requirements are derived e g awareness and training from a number of sources including law policy applicable standards and guidelines functional needs of the system and cost-benefit trade-offs 77 Management Law Besides Controls specific laws that place security requirements Act of 1974 there are laws court cases legal opinions on information such as the Privacy and other similar legal material that may affect security directly or indirectly Policy As discussed System security requirements are in Chapter management officials issue several different types of policy often derived from issue-specific policy 5 Standards and Guidelines International national and organizational standards and guidelines are another source for determining security features assurances and operational practices Standards and guidelines are often written in an if then manner data then a particular cryptographic algorithm should be used e g if the Many system is encrypting organizations specify baseline controls for different types of systems such as administrative mission- or businesscritical or proprietary As required special care should be given to interoperability standards Functional Needs of the System The purpose of security not to undermine it Therefore many is to support the function of the system aspects of the function of the system will produce related security requirements Cost-Benefit Analysis When considering security cost-benefit analysis is done through risk assessment which examines the assets threats and vulnerabilities of the system in order to determine the most appropriate cost-effective safeguards that comply with applicable laws policy standards those whose and the functional needs of the system Appropriate safeguards are normally anticipated benefits outweigh their costs Benefits and costs include monetary and nonmonetary issues such as prevented losses maintaining an organization's reputation decreased user friendliness or increased system administration Risk assessment like cost-benefit analysis is used to support decision making It helps managers The extent of the risk assessment like that of other cost-benefit should be commensurate with the complexity and cost normally an indicator of select cost-effective safeguards analyses complexity of the system and the expected benefits of the assessment Risk assessment discussed in Chapter is further 7 Risk assessment can be performed during the requirements analysis phase of a procurement or the design phase of a system development cycle Risk should also normally be assessed during the development acquisition phase of a system upgrade The risk assessment may be performed once or multiple times depending upon the project's methodology Care should be taken in differentiating Many system development and complete the project - between security risk assessment and project risk analysis acquisition projects analyze the risk of failing to successfully a different activity from security risk assessment 78 Life Cycle Security 8 Requirements Into Specifications 8 4 2 2 Incorporating Security Determining security features assurances and operational practices can yield significant security information and often voluminous requirements This information needs to be validated updated and organized into the detailed security protection requirements and specifications used by systems designers or purchasers Specifications can take on quite different forms depending on methodology used the for to develop the system or whether the system or parts of the system are being purchased off the shelf As specifications are developed recommended by safeguard it may be necessary to update implement may be u l-u- - u j- i the office M nm n m-- WW n critical to being able to cost-effectively test security J features j prevent employees from checking their e-mail away from Developing testing specifications early can be o i requirement that prohibits dial-in access could while A difficult to For example a security assessments the risk assessment could be incompatible with other requirements or a control initial risk BlliHiBBpiBBiBiBiwmmmmmmmmmmmmmmmmmmmmmmmmm 69 Besides the technical and operational controls of a system assurance also should be addressed The degree and to which assurance effectively determined it is that the security features needed should be determined necessary to figure out is whether the specifications have been how early and practices can and do work correctly Once system or to provide another form of designed into the system or otherwise provided for if initial rigorous assurance During this process phase the system is needed the and ongoing assurance needs to be Obtaining the System and Related Security Activities may is See Chapter 9 for more information 8 4 2 3 activities is This applies to satisfied to obtain the desired assurance both system developments and acquisitions For example ability to test the the desired level of assurance the system will be tested or reviewed to determine actually built or bought If the system is being built security include developing the system's security aspects monitoring the development itself for security vulnerabilities that may problems responding to changes and monitoring arise during the threat Threats or development phase include Trojan horses incorrect code poorly functioning development tools manipulation of code and malicious insiders If the system security is is Many systems being acquired off the is may include monitoring to ensure systems use a combination of development and acquisition In activities include This shelf security activities a part of market surveys contract solicitation documents and evaluation of proposed both sets an example of a risk-based decision 79 this case security Management Controls As the system is built or bought choices made about the system which can affect are In federal These choices include selection of security it is members of the source selection board specific off-the-shelf products finalizing an government contracting often useful if personnel with security expertise participate as to help evaluate the security aspects of proposals architecture or selecting a processing site or platform Additional security analysis will probably be necessary In addition to obtaining the system operational practices need to be developed These refer to human activities that take place training around the system such as contingency planning awareness and and preparing documentation The chapters handbook discuss these areas These need to be are often developed by different individuals in the Operational Controls section of this developed along with the system although they These areas like technical specifications should be considered from the beginning of the development and acquisition phase 8 4 3 Implementation A separate implementation phase is not always specified in some life cycle planning efforts It is often incorporated into the end of development and acquisition or the beginning of operation and maintenance However from a security point of view a occurs between development and the this section turning start on the controls and critical security activity accreditation of system operation The other activities testing are often incorporated at the described in end of the development acquisition phase 8 4 3 1 Install Turn-On Controls While obvious this activity is often security features disabled complex task requiring When overlooked acquired a system often comes with These need to be enabled and configured For many systems significant skills Custom-developed systems may also require this is a similar work 8 4 3 2 Security Testing System security testing includes both the testing of the particular parts of the system that have been developed or acquired and the testing of the entire system Security management physical facilities services personnel procedures the use of commercial or in-house services such as networking and contingency planning are examples of areas system but may be that affect the security specified outside of the development or acquisition cycle of the entire Since only items within the development or acquisition cycle will have been tested during system acceptance testing separate tests or reviews may need to be performed for these additional security elements 80 8 Security certification is Life Cycle Security a formal testing of the security safeguards implemented in the computer system to determine whether they meet applicable requirements and specifications more reliable technical information certification is often rather than 70 To provide performed by an independent reviewer by the people who designed the system 8 4 3 3 Accreditation System security accreditation is the formal authorization by the accrediting management official for system operation and an explicit acceptance of risk It is usually supported by a review of the system including its management operational and technical controls This review may include a detailed technical evaluation such as a Federal Information Processing Standard 102 certification particularly for complex critical or high-risk systems security evaluation risk assessment audit or other such review If the upgrade the new The life cycle process is being used to manage a project such as a system important to recognize that the accreditation it is is for the entire system not just for addition best way accreditation to view is as a computer security form of quality control forces managers and technical staff to together to find the best fit Sample Accreditation Statement It work In accordance with Organization Directive for security given issue an accreditation for technical constraints operational constraints accreditation and mission requirements The accreditation process obliges managers to make hereby my formal declaration that a satisfactory level of operational security is present critical that the system can operate under reasonable This accreditation decisions regarding the adequacy of security safeguards is I name of system This will A decision based on reliable is valid for three years be re-evaluated annually have occurred affecting information about the effectiveness of its and risk The system to determine if changes security technical and non-technical safeguards and the residual risk is more likely to be a sound decision After deciding on the acceptability of security safeguards and residual risks the accrediting official should issue a formal accreditation statement While most flaws in system security are not severe enough to remove an operational system from service or to prevent a becoming operational the flaws may require some dial-in access or electronic accreditation 70 Some may be restrictions on operation new system from e g limitations on connections to other organizations In some cases an interim granted allowing the system to operate requiring review at the end of the federal agencies use a broader definition of the term certification to refer to security reviews or evaluations formal or information that take place prior to and are used to support accreditation 81 Management Controls interim period presumably after security upgrades have been made 8 4 4 Operation and Maintenance Many these security activities take place during the operational phase of a system's fall into three areas 1 security operations and administration life In general 2 operational assurance and 3 periodic re-analysis of the security Figure 8 2 diagrams the flow of security activities during the operational phase 8 4 4 1 Security Operations and Administration Operation of a system involves many security activities discussed throughout this handbook Performing backups holding training classes managing cryptographic keys keeping up with user administration and access privileges and updating security software are 8 4 4 2 Operational some examples Assurance Operational assurance examines whether a system Security never perfect when a system is operated according to is operators discover new ways J o - people who operate or use the system and the o a t u _ functioning of technical controls ii to intentionally J o or unintentionally bypass or subvert security Changes create in the new procedures may system or the environment can vulnerabilities is Strict rare over time is current security requirements This includes both the actions of implemented In addition system users and its ii l ii il o i adherence to and procedures become outdated Thinking risk is minimal users tend to bypass security measures and procedures As shown in Figure 8 2 changes occur Operational assurance these changes whether they are new is one way of becoming aware of vulnerabilities or old vulnerabilities that have not been corrected system changes or environmental changes Operational assurance is the process of reviewing an operational system to see that security controls both automated and manual are functioning correctly and effectively To maintain operational assurance organizations use two basic methods system audits and monitoring These terms are used loosely within the computer security community and often overlap A system audit is a one-time or periodic event to evaluate security Monitoring refers to an ongoing activity that examines either the system or the users In general the more real-time an activity is the more it falls into the category of monitoring 82 See Chapter 9 - - CO cu CO C O o CO I oc Q 2 CO a H CO 2 03 3- CO P T 3 en 00 Q s 3 00 oa as tO CO- fci CO 2 a c i 00 CO U oo U o 00 3c Xi CD 6 c u 1 4 CO 2 H o o SI t O rS aa 3 g CO Q o 2 s ws of 4 I C 3 1 e S i c o 3 s a i 00 1 2 u a J 55 u 3 C 3 i CO CO to rt 5 3 o 'B is H a a O J ' o 52 I Q-S Management 8 4 4 3 Controls Managing Change Computer systems and the environments in which they operate change continually In Security change response to various events such as user new features and discovery of new threats complaints availability of services or the and vulnerabilities BBBnaHHHHHMHaaBMmHni system managers and users modify the system and incorporate new features in tend to increase A new user group may be added New new procedures and software updates which the system operates also changes Networking and interconnections The environment groups management helps develop new security requirements threats may emerge such possibly external groups or as increases in anonymous network intrusions or the spread of personal computer viruses If the system has a configuration control board or other structure to manage technical system changes a security specialist can be assigned to the board to determinations about whether and if so how changes make will affect security Security should also be considered during system upgrades and other planned changes and in shown determining the impact of unplanned changes As is planned a determination is made whether the change in is Figure 8 2 when a change occurs or A major change major or minor such Major changes often involve the purchase of new hardware software or services or the development of new software as reengineering the structure of the system significantly affects the system modules An A organization does not need to have a specific cutoff for major-minor change decisions sliding scale between the two can be implemented by using a combination of the following methods o A major change requires analysis Major change requirements to determine security The process described above can be used although the analysis may focus only on the area s in which the change has occurred or will occur If the original analysis and system changes have been documented throughout the much cycle the analysis will normally be significant easier Since these changes result system acquisitions development work or changes should be reaccredited to ensure that the residual risk o Minor change Many of the changes made to a is still and cons costs and the analysis is documented that in in policy the system acceptable system do not require the extensive analysis performed for major changes but do require Each change can involve a life some analysis limited risk assessment that weighs the pros benefits can even be performed on-the-fly conducted informally decisions should still at meetings Even be appropriately This process recognizes that even small decisions should be 84 if 8 Life Cycle Security risk-based 8 4 4 4 Periodic Reaccreditation Periodically The analysis sufficient The is it useful to formally reexamine the security of a system from a wider perspective which leads to reaccreditation should address such questions as Is the security still Are major changes needed reaccreditation should address high-level security and implementation of the security always necessary to perform a It is new management concerns as well as the not wmmmmmmmmmmm amimKmmmmmm mmmmmmm risk assessment or certification in conjunction with It is the re-accreditation but the activities support each other and both need be performed The more extensive system changes have been the more extensive the officials A risk assessment is likely to records HHHHBBH H H H that result in system changes After the system has been changed Management then should consult with their agency office responsible for retaining and archiving federal analyses should be e g a risk assessment or uncover security concerns when disposing of computer management systems For federal systems system periodically re-certification important to consider legal requirements for records retention it may need reaccredits the system for continued operation testing including certification if the risk is acceptable 8 4 5 Disposal The disposal phase of the computer system to another system archived discarded or destroyed When cycle involves the disposition of information may be hardware and software Information moved life i H HHBHHHHBHHn archiving information Media Sanitization consider the method for retrieving the information in the future The technology Since electronic information used to create the records may transmit information that not be readily often needs to available in the future system Hardware and software can be away or discarded There is destroy hardware except for life is is easy to copy and sensitive to disclosure cycle so that managers can ensure its proper disposition The removal of information from sold given rarely a a storage need to some storage media containing confidential information medium such as a hard disk or tape is called sanitization Different kinds of sanitization provide different levels of protection A distinction can be made between clearing information rendering that it cannot be sanitized without destruction The unrecoverable by keyboard attack and purging rendering information unrecoverable against disposition of software needs to be in keeping with its license or other developer if applicable laboratory attack There are three general methods agreements with the Some site-specific or contain other be controlled throughout the computer of purging media overwriting degaussing for magnetic media only and destruction licenses are agreements that 85 Management Controls prevent the software from being transferred Measures may also have to be taken for the future use of data that has been encrypted such as taking appropriate steps to ensure the secure long-term storage of cryptographic keys 8 5 Interdependencies Like many management controls life linked control areas are policy assurance and risk The development of system-specific Policy upon other management cycle planning relies policy is controls Three closely an integral part of determining the security requirements Assurance considered Good in life cycle management provides assurance that security is appropriately system design and operation Risk Management The maintenance of security throughout the operational phase of a system process of risk assessment is management analyzing risk reducing risk is a and monitoring safeguards Risk a critical element in designing the security of systems and in reaccreditations 8 6 Cost Considerations Sometimes security choices are made by default without anyone analyzing why choices are made sometimes security choices are made carefully based on analysis The first case is likely to result in a system with poor security that is susceptible to many types of loss In the second case the cost of life cycle management should be much smaller than the losses avoided The major cost considerations for life cycle management Security is a factor throughout the are personnel costs and some life cycle of a system delays as the system progresses through the life cycle for completing analyses and reviews and obtaining management approvals It is than overmanage a system to spend more time planning designing and analyzing risk necessary Planning by itself does not further the mission or business of an organization possible to is Therefore while security life cycle commensurate with the system's management can size yield significant benefits the effort should be complexity and sensitivity and the risks associated with the system In general the higher the value of the system the newer the system's architecture technologies and practices and the worse the impact should be spent on life if the system security fails the more cycle management References Communications Security Establishment A Framework for Security Risk Management 86 in effort 8 Life Cycle Security Information Technology Systems Canada Dykman Charlene A ed and Charles K Davis Control Objectives -Controls in an asc ed Information Systems Environment Objectives Guidelines and Audit Procedures fourth Carol Stream IL The edition EDP Auditors Foundation Guttman Barbara Computer Security Considerations Procurement Initiators Inc April 1992 Federal Procurements in A Guide for Contracting Officers and Computer Security Officials Special Publication 800-4 Gaithersburg MD National Institute of Standards and Technology March 1992 Institute of Internal Auditors Research Foundation System Auditability and Control Report Altamonte Springs FL The Institute of Internal Auditors 1991 Murphy Michael and Xenia Ley Parker Handbook of EDP Auditing especially Chapter 2 The Auditing Profession and Chapter 3 The EDP Auditing Profession Boston MA Warren Gorham Lamont 1989 National Bureau of Standards Guideline for Computer Security Certification and Accreditation Federal Information Processing Standard Publication 102 September 1983 National Institute of Standards and Technology Disposition of Sensitive Automated Information Computer Systems Laboratory Bulletin October 1992 National Institute of Standards and Technology Sensitivity of Information Computer Systems Laboratory Bulletin November 1992 Management and Budget Guidance for Preparation of Security Plans for Federal Computer Systems That Contain Sensitive Information OMB Bulletin 90-08 1990 Office of Ruthberg Zella G Bonnie T Fisher and John W Lainhart IV System Development Auditor Oxford England Elsevier Advanced Technology 1991 Ruthberg Z et al Guide to A System Development Life MD National Bureau of Standards Auditing for Controls and Security Cycle Approach Special Publication 500-153 Gaithersburg April 1988 Vickers Benzel T C Developing Trusted Systems Using Computer Society Wood DOD-STD-2I67A Oakland CA IEEE Press 1990 C Building Security Into Your System Reduces 10 3 1993 p 47 87 the Risk of a Breach LAN Times Chapter 9 ASSURANCE Computer security assurance technical and operational the degree of confidence one has that the security measures both is work as intended to protect the system and the information it processes however an absolute guarantee that the measures work as intended Like the closely related areas of reliability and quality assurance can be difficult to analyze however it is something people expect and obtain though often without realizing it For example people may Assurance is not recommendations from colleagues but may not consider such routinely get product recommendations Assurance true is as providing assurance a degree of confidence not a measure of how secure the system actually is because This distinction it is extremely cases virtually impossible how secure a system Assurance many the degree ofconfidence one has exactly ii m ih s ystem i i M intended ii-- iii iimn and protect - m mi in niiiii i imi is a challenging subject because is as intended things 1 who know in Because of this many people quantify work to and is that the security controls operate correctly necessary is difficult -- -- Security assurance However who needs it is is the difficult to describe and even warm fuzzy refer to assurance as a more difficult to feeling that controls more rigorous approach by knowing two what types of assurance can be obtained The person possible to apply a to be assured needs to be assured it is and 2 management official of the system Within the federal government this who is person ultimately responsible for the security is the authorizing or accrediting 11 official There are many methods and tools for obtaining assurance For discussion purposes for assurance and then presents the this chapter The chapter first discusses planning two categories of assurance methods and tools 1 design and categorizes assurance in terms of a general system life cycle implementation assurance and 2 operational assurance Operational assurance is further categorized into audits and monitoring The division fuzzy between design and implementation assurance and operational assurance can be While such issues as configuration management or audits are discussed under operational assurance they more on 71 may also be vital during a system's development The discussion tends to focus technical issues during design and implementation assurance and to be a mixture of Accreditation is a process used primarily within the federal government authorization for processing Different agencies may It is the process of managerial use other terms for this approval function consistent with Federal Information Processing Standard 102 Guideline for Accreditation See reference section of this chapter 89 Computer Security The terms used here and Certification are Management Controls management operational and technical issues under operational assurance The reader should keep in mind that the division is somewhat artificial and that there is substantial overlap 9 1 Accreditation and Assurance management official's formal acceptance of the adequacy of a system's security computer security accreditation is as a form of quality control It forces managers and technical staff to work together to find workable cost-effective solutions given Accreditation The best way is a to view security needs technical constraints operational constraints and mission or business requirements The accreditation process obliges managers to make the critical decision regarding the adequacy of security safeguards and therefore to recognize and perform their role in securing their systems In order for the decisions to be sound they need to be based on reliable information about the implementation of both technical and nontechnical safeguards These include o Technical features Do they operate as intended o Operational practices o Overall security Are there threats which the technical features and operational practices o Is the system operated according to stated procedures do not address Remaining risks Are they acceptable A computer system should be accredited before the system becomes operational with periodic reaccreditation after major system changes or system was not initially when significant time has elapsed 72 Even accredited the accreditation process can be initiated at any time if a Chapter 8 further discusses accreditation 9 1 1 Accreditation Assurance is and Assurance an extremely important -- but not the only element in accreditation As shown in the diagram assurance addresses whether the technical measures and procedures operate either 1 according to a set quality principles of security requirements and specifications or 2 according to general Accreditation also addresses whether the system's security requirements are correct and well implemented and whether the level of quality are discussed in Chapters 7 72 and is sufficiently high These 8 OMB Circular A- 130 requires management security authorization of operation for federal systems 90 activities 9 Assurance Wf 'if flT 9 1 2 Selecting The Assurance Methods accrediting official makes the needed for a system For final decision about this decision to be informed how much and what it is as a risk assessment or other study e g certification as official 73 The types of assurance are derived from a review of security such deemed appropriate by the accrediting accrediting official needs to be in a position to analyze the pros and cons of the cost of assurance the cost of controls and the risks to the organization At the end of the accreditation process the accrediting official will be the one to accept the remaining risk Thus 73 In the past accreditation has controls It is now been defined to require a certification which recognized within the federal government that other analyses provide sufficient assurance for accreditation 91 is an in-depth testing of technical e g a risk analysis or audit can also Management Controls the selection of assurance methods should be coordinated with the accrediting In selecting assurance methods the need for assurance should be Assurance can be quite expensive especially if extensive testing weighed against is A combination of methods can often provide greater assurance The less costly its cost done Each method has strengths and weaknesses in terms of cost and what kind of assurance can be official is since no actually being delivered method foolproof and is than extensive testing accrediting official is not the only arbiter of assurance Other officials should also be consulted For example a Production Manager who use the system who relies on a Supply System may be constraints outside the should provide input to the Supply Manager In addition there accrediting official's control that also affect the selection of methods For instance methods may unduly resources or may be may be restrict competition in acquisitions some of the of federal information processing contrary to the organization's privacy policies Certain assurance methods required by organizational policy or directive 9 2 Planning and Assurance Assurance planning should begin during the planning phase of the system life cycle either for new systems or a system upgrades Planning for assurance when planning for other system requirements makes sense If a system facilitate such is Planning for assurance helps a manager effective going to need extensive testing it should be manager waits If a until a make system is decisions about what kind of assurance will be costbuilt or bought to consider assurance the number may be much smaller than if the manager had planned assurance options may be more expensive of ways to obtain assurance and the remaining 9 3 Design built to testing for it earlier and Implementation Design and implementation assurance should be examined from two points of view the component Assurance and the system Component assurance looks at the Design and implementation assurance security of a specific product or system component addresses whether the features of a system such as an operating system application security application or component meets add-on or telecommunications module System security assurance looks at the security of the entire system requirements and specifications and whether including the interaction between products and they are they are well designed and well built modules Chapter 8 discusses the source for security requirements and specifications Design and BilliiiBliBiBHiiiiBi--BiBili implementation assurance examines system design development and installation Design and implementation assurance 92 is usually associated 9 with the development acquisition and implementation phase of the system should also be considered throughout the As life cycle as the system is life cycle Assurance however it modified stated earlier assurance can address whether the product or system meets a set of security specifications or methods it can provide other evidence of quality This section outlines the major for obtaining design 9 3 1 Testing and and implementation assurance Certification Testing can address the quality of the system as built as can be performed throughout the development cycle Some common operational phase function works according to its implemented or as operated Thus after system installation testing techniques include functional testing to see requirements or penetration testing to see if it and throughout if its a given security can be bypassed These techniques can range from trying several test cases to in-depth studies using metrics automated Certification is tools or multiple detailed test cases a formal process for testing security requirements Certification is components or systems against a specified set of normally performed by an independent reviewer rather than one involved in building the system Certification is more often cost-effective for complex or high-risk systems Less formal security testing can be used for lower-risk systems Certification can be performed at many stages of the system design and implementation process and can take place in a laboratory operating environment or both 9 3 2 NIST Conformance NIST produces Testing and Validation Suites validation suites and conformance testing to determine if a product software hardware firmware meets specified standards These standards and use many methods Conformance test suites are developed for specific to standards can be important for including interoperability or strength of security provided NIST publishes a list many reasons of validated products quarterly 9 3 3 Use of Advanced or Trusted Development In the development of both commercial off-the-shelf products and more customized systems the use of advanced or trusted system architectures development methodologies or software engineering techniques can provide assurance Examples include security design and development ISO 9000 quality techniques or use of security computing base TCB or reference monitor reviews formal modeling mathematical proofs architecture concepts such as a trusted 9 3 4 Use of Reliable Architectures Some system architectures are intrinsically more reliable 93 such as systems that use fault-tolerance Management Controls redundance shadowing or redundant array of inexpensive disks RAID features These examples are primarily associated with system 9 3 5 Use of Reliable Security One factor in reliable security that is easier to secure will be used when the is the concept of ease of safe use more likely to which postulates be secure Security features that a may be more system likely to be system defaults to the most secure option In addition a system's security initial may be deemed more real availability reliable if it does not use very new technology that has not been tested in the world often called bleeding-edge technology Conversely a system that uses older well-tested software may be less likely to contain bugs 9 3 6 Evaluations A product evaluation normally includes testing Evaluations can be performed by many types of organizations including government agencies both domestic and foreign independent organizations such as trade and professional organizations other vendors or commercial groups or individual users or user consortia as are more formal reviews made Product reviews in trade literature are a form of evaluation against specific criteria Important factors for using evaluations are the degree of independence of the evaluating group whether the evaluation criteria reflect needed security features the rigor of the evaluation the testing the testing environment the age of the competence of the evaluating organization and the limitations placed on the evaluations by the evaluating group e g assumptions about the threat or operating environment 9 3 7 The Assurance Documentation ability to describe security requirements and how they were met can reflect the degree to which a system or product designer understands applicable security understanding of the requirements it is issues Without a good not likely that the designer will be able to meet them Assurance documentation can address the security either for a system or for specific components System-level documentation should describe the system's security requirements and how they have been implemented including interrelationships among applications the operating system or networks System-level documentation addresses more than just the operating system the security system and applications particular environment it describes the system as integrated and implemented in a Component documentation whereas the system designer or implementer 9 3 8 Accreditation of The will generally will generally be an off-the-shelf product develop system documentation Product to Operate in Similar Situation accreditation of a product or system to operate in a similar situation can be used to provide 94 9 some assurance However it is important to realize that an accreditation is Assurance environment- and same product may be another even by the same accrediting system-specific Since accreditation balances risk against advantages the appropriately accredited for one environment but not for official 9 3 9 Self-Certification A vendor's integrator's or system developer's self-certification does not rely on an impartial or how independent agent to perform a technical evaluation of a system to see well it meets a stated Even though it is not impartial it can still provide assurance The selfcertifier's reputation is on the line and a resulting certification report can be read to determine whether the security requirement was defined and whether a meaningful review was performed security requirement A hybrid certification is possible where the work is performed under the auspices or review of an independent organization by having that organization analyze the resulting report perform spot checks or perform other oversight This method may be able to combine the lower cost and greater speed of a self-certification with the impartiality of an independent review however may not be as thorough as independent evaluation or 9 3 10 Warranties Integrity Statements and The review testing Liabilities Warranties are another source of assurance If a manufacturer producer system developer or integrator is willing to correct errors within certain time frames or by the next release this should give the system manager a sense of commitment to the product and of the product's quality integrity statement promise to conform is a fix the a formal declaration or certification of the product item warranty or b pay for losses liability if It An can be backed up by a the product does not to the integrity statement 9 3 11 Manufacturer's Published Assertions A manufacturer's or developer's published assertion or formal declaration provides amount of assurance based exclusively on a limited reputation 9 3 12 Distribution Assurance It is often important to electronically know that software has arrived unmodified especially if has not been modified Anti- virus software can be used to check software that sources with it is distributed In such cases checkbits or digital signatures can provide high assurance that code unknown reliability such as a bulletin board 95 comes from Management Controls 9 4 Operational Assurance Design and implementation assurance addresses the quality of security features built into systems Operational assurance addresses whether the system's technical features are being bypassed or have vulnerabilities and whether required procedures are being followed changes and its in the system's security It does not address requirements which could be caused by changes to the system operating or threat environment These changes are addressed in Chapter 8 Security tends to degrade during the operational phase of the system operators discover especially if there new ways is life cycle System users and to intentionally or unintentionally bypass or subvert security a perception that bypassing security improves functionality Users and them or their system so they shortcut and they become outdated and errors in the administrators often think that nothing will happen to security adherence to procedures Strict system's administration commonly is rare occur Organizations use two basic methods to maintain operational assurance A system audit -- o vary widely in a one-time or periodic event to evaluate security reaccreditation or o Monitoring -- it An audit can may examine an entire system for the purpose of may investigate a single anomalous event scope it an ongoing activity that checks on the system its users or the environment In general the more real-time an activity is the more it falls into the category of monitoring This distinction can create some unnecessary linguistic hairsplitting especially concerning system- generated audit attempts is trails Daily or weekly reviewing of the audit An unauthorized access generally monitoring while an historical review of several months' worth of the tracing the actions of a specific user 9 4 1 trail for is probably an audit Audit Methods and Tools audit conducted to support operational assurance examines whether the system stated or implied security requirements including system and organization policies also trail examine whether security requirements are appropriate but this is is meeting Some audits outside the scope of operational assurance See Chapter 8 Less formal audits are often called security reviews 96 9 Audits can be self-administered or independent either internal or external 74 Assurance Both types can provide excellent information about technical procedural managerial or other aspects of between a security The self-audit and an independent audit objectivity essential difference is Mlll management staff _ The system management little incentive to say that the system was poorly designed or operated hiiiiiimiim nimn c be free from personal and external constraints which may organizationally independent assessments have an inherent conflict of have i A P erson who Perforras an independent audit should often called self-audits interest m Reviews done by system On is staff independence and should be computer sloppily may be the other hand they motivated by a strong desire to improve the security of the system In addition they are knowledgeable about the system and may be able to find hidden problems The independent auditor Independent audit by contrast should have no professional stake may be performed by in the system a professional audit staff in accordance with generally accepted auditing standards There are many methods and system Several of 9 4 1 1 tools some of which are described here that can be used to audit a them overlap Automated Tools Even for small multiuser computer systems it is a big job to manually review security features Automated tools make it feasible to review even large computer systems for a variety of security flaws There are two types of automated exploit them and 2 passive tests problems from the Automated state tools 1 active tools which find vulnerabilities which only examine the system and by trying to infer the existence of of the system tools can be used to help find a variety of threats and vulnerabilities such as improper access controls or access control configurations software or not using all weak passwords relevant software updates and patches lack of integrity of the system These tools are often very successful at finding vulnerabilities and are sometimes used by hackers to break into systems taking advantage of these tools puts system administrators at a disadvantage are simple to use however An example some programs such Many of the Not tools as access-control auditing tools for large of an internal auditor in the federal government is the Inspector General The General Accounting Office can perform the role of external auditor in the federal government In the private sector the corporate audit staff serves the role of internal auditor while a public accounting firm would be an external auditor 97 Management Controls mainframe systems require specialized skill and to use interpret Audit 9 4 1 2 Internal Controls The General Accounting Office provides standards An and guidance auditor can review controls in place and for internal controls audits of federal agencies determine whether they are effective The HMHHMinaHnBnHiHHn auditor will often analyze both computer and noncomputer-based controls Techniques used include inquiry observation and testing of both the controls themselves and the data The audit can also detect illegal acts errors irregularities or a lack of compliance with laws and regulations Security checklists and penetration testing discussed below may be used 9 4 1 3 Security Checklists Warning Security Checklists with a Within the government the computer security system can be audited This Chapter 8 outlines the plan discussed in sufficient checkJist often focus too major security me points management operational and technical correctly implemented security plan is that it that security is much fail a attenUon on getting in the particular environment and are imBM MMH am MMM HMHHnHa a computer reflects the e g rather than whether the security measures makes sense One advantage of using passed Also managers of systems which considerations for a system including issues that are are often used mistakenly asproof instead of an indication plan provides a checklist against which the B or better score unique security environment of the system rather than a generic list of controls Other checklists can be developed which include national or organizational security policies and practices often referred to as baselines Lists of generally accepted security practices needs to be taken so that deviations from the they may be list GSSPs can Care also be used are not automatically considered wrong since appropriate for the system's particular environment or technical constraints Checklists can also be used to verify that changes to the system have been reviewed from a security point of view A common audit examines the system's configuration to see if major changes such as connecting to the Internet have occurred that have not yet been analyzed from a security point of view 9 4 1 4 Penetration Testing Penetration testing can use active many methods to attempt a system break-in In addition to using automated tools as described above penetration testing can be done manually The most useful type of penetration testing For hosts on the Internet this is to use would methods that certainly include might really be used against the system automated procedures or a lack of internal controls on applications are penetration testing can target Another method is 98 tools common For many systems lax vulnerabilities that social engineering which involves getting 9 Assurance users or administrators to divulge information about systems including their passwords 9 4 2 75 Monitoring Methods and Tools Security monitoring Many is an ongoing activity that looks for vulnerabilities and security problems of the methods are similar to those used for audits but are done more regularly some automated 9 4 2 1 or for tools in real time Review of System Logs As discussed in Chapter 8 a periodic review of system-generated logs can detect security problems including attempts to exceed access authority or gain system access during unusual hours 9 4 2 2 Automated Tools Several types of automated tools monitor a system for security problems o Some examples follow Virus scanners are a popular means of checking for virus infections These programs test for the presence of viruses in executable o Checksumming presumes that program program files files should not change between updates They work by generating a mathematical value based on the contents of a particular integrity of the to be verified the file is checksum is file generated on the current When file the and compared with the previously generated value If the two values are equal the integrity of the file is verified Program checksumming can detect viruses Trojan horses accidental changes to files caused by hardware failures and other changes to files However they may be subject to covert replacement by a system intruder Digital signatures can also be used o Password crackers check passwords against a dictionary either a regular dictionary or a specialized one with easy-to-guess passwords and also check if passwords are common permutations of the user ID Examples of special dictionary entries could be the names of regional sports teams and stars common permutations could be the user ID spelled backwards o Integrity verification programs can be used by such applications to look for evidence of data tampering errors and omissions Techniques include consistency and reasonableness checks 75 While penetration testing is consent of system management a very powerful technique Unknown it should preferably be conducted with the knowledge and penetration attempts can cause a lot of stress and may create unnecessary disturbances 99 among operations personnel Management Controls and validation during data entry and processing These techniques can check data elements as input or as processed against expected values or ranges of values analyze transactions for proper flow sequencing and authorization or examine data elements for expected These programs comprise a very important relationships be used to convince people intentionally they will do what they should not do accidentally or of these programs rely upon logging of individual that if they be caught of processes because they can set Many user activities o Intrusion detectors analyze the system audit system calls activity o and various command Intrusion detection is trail especially log-ons connections operating parameters for activity that could represent unauthorized covered in Chapters 12 and 18 System performance monitoring analyzes system performance logs in real problems including active attacks such as the 1988 Internet availability time to look for worm and system and network slowdowns and crashes 9 4 2 3 Configuration From Management a security point of view configuration operation is management provides assurance that the system the correct version configuration of the system and that any changes to be in made are reviewed for security implications Configuration management can be used to help ensure that changes take place unintentionally in an identifiable and controlled environment and that they do not harm any of the system's properties including its security Some organizations particularly those with very large systems such as the federal government use a configuration When control board for configuration management computer security expert participate in system Changes to the vulnerabilities participate In any case such a board it is exists useful to have it is helpful to have a computer security officers management decision making system can have security implications because they and because significant changes may may introduce or remove require updating the contingency plan risk analysis or accreditation 9 4 2 4 Trade Literature Publications Electronic News In addition to monitoring the system Such sources it is useful to monitor external sources for information as trade literature both printed and electronic have information about security vulnerabilities patches Teams FIRST and other areas that impact security The Forum of Incident Response has an electronic mailing list that receives information 100 on threats vulnerabilities 9 Assurance 76 and patches 9 5 Interdependencies Assurance an issue for every control and safeguard discussed is in this handbook Are user ID and access privileges kept up to date Has the contingency plan been tested Can the audit be tampered with One important point to be reemphasized here is that assurance is trail not only for on management controls technical controls but for operational controls as well Although the chapter focused information systems assurance are working noted in the well it is Is the security also important to have assurance that program effective Are policies introduction to this chapter the need for assurance is understood and followed As more widespread than people often realize Life Cycle Assurance is closely linked to the planning for security in the system Systems can be designed to requirements By facilitate life cycle various kinds of testing against specified security planning for such testing early in the process costs can be reduced in cases without proper planning some kinds of assurance cannot be otherwise some obtained 9 6 Cost Considerations There are many methods of obtaining assurance that security features work as anticipated Since assurance methods tend to be qualitative rather than quantitative they will need to be evaluated Assurance can also be quite expensive especially if extensive testing evaluate the amount of assurance received for the cost to make is done It is useful to a best- value decision In general personnel costs drive up the cost of assurance Automated tools are generally limited to addressing specific problems but they tend to be less expensive References Borsook P Seeking Security Byte 18 6 1993 pp 119-128 Dykman Charlene A ed and Charles K Davis asc ed Control Objectives -Controls in an Information Systems Environment Objectives Guidelines and Audit Procedures fourth edition Carol Stream IL The EDP Auditors Foundation Dan and Wietse Venema Improving Available from FTP WIN TUE NL 1993 Farmer 76 For information on FIRST send e-mail to Inc April the Security of HRST-SEC@nRST ORG 101 Your 1992 Site by Breaking Into It Management Controls Guttman Barbara Computer Security Considerations Procurement Initiators in Federal Procurements A Guide for Contracting Officers and Computer Security Officials Special Publication 800-4 Gaithersburg MD National Institute of Standards and Technology March 1992 Howe D Information System Security Engineering Cornerstone to the 15th National Computer Security Conference Vol 1 Baltimore the Future Proceedings of MD Gaithersburg MD National Institute of Standards and Technology 1992 pp 244-251 Levine M Audit Serve Security Evaluation Criteria Audit Vision 2 2 1992 pp 29-40 National Bureau of Standards Guideline for Computer Security Certification and Accreditation Federal Information Processing Standard Publication 102 September 1983 National Bureau of Standards Guideline for Lifecycle Validation Verification and Testing of Computer Software Federal Information Processing Standard Publication National Bureau of Standards Guideline for Software Verification Information Processing Standard Publication 132 November 101 June 1983 and Validation Plans Federal 1987 Nuegent W J Gilligan L Hoffman and Z Ruthberg Technology Assessment Methods for Measuring the Level of Computer Security Special Publication 500-133 Gaithersburg MD National Bureau of Standards 1985 Peng Wendy W and Gaithersburg MD Dolores R Wallace Software Error Analysis Special Publication 500-209 National Institute of Standards and Technology 1993 Peterson P Infosecurity and Shrinking Media ISSA Access 5 2 1992 pp 19-22 Pfleeger C S Pfleeger Computers and Polk and M Theofanos A Methodology for Penetration Testing Security 8 7 1989 pp 613-620 W Timothy and Lawrence Bassham A Guide Techniques Special Publication 800-5 Gaithersburg of Anti-Virus Tools and National Institute of Standards and to the Selection MD Technology December 1992 Polk W Timothy Automated Tools for Testing Computer System Vulnerability Special Publication 800-6 Gaithersburg MD National Institute of Standards and Technology December 1992 102 9 President's Council on Systems Washington President's Council Integrity DC Assurance and Efficiency Review of General Controls in Federal Computer on Integrity and Efficiency October 1988 President's Council on Management Improvement and the President's Council on Integrity and Efficiency Model Framework for Management Control Over Automated Information System Washington DC President's Council on Management Improvement January 1988 Ruthberg Zella G Bonnie T Fisher and John W Lainhart IV System Development Auditor Oxford England Elsevier Advanced Technology 1991 Ruthburg Zella et al Guide to Auditing for Controls and Security Cycle Approach Special Publication 500-153 Gaithersburg MD A System Development Life National Bureau of Standards April 1988 Strategic Defense Initiation Organization Trusted Software Methodology Vols SD-91-000007 June 1 and II SDI-S- 17 1992 Wallace Dolores and J C Cherniasvsky Guide to Software Acceptance Special Publication 500180 Gaithersburg MD National Institute of Standards and Technology April 1990 Wallace Dolores and Roger Fugi Software Verification and Validation Its Role in Computer Assurance and Its Relationship with Software Product Management Standards Special Publication 500-165 Gaithersburg MD National Institute of Standards and Technology September 1989 Wallace Dolores R Laura and Guidelines M Ippolito and D Richard Kuhn High Integrity Software Standards Special Publication 500-204 Gaithersburg MD National Institute of Standards and Technology 1992 Wood C Wiley et al Sons Computer Security A Comprehensive 1987 103 Controls Checklist New York NY John OPERATIONAL CONTROLS 105 Chapter 10 PERSONNEL USER ISSUES Many important issues in computer security involve managers human A broad range of security issues relate to how computers and the access and authorities they need to do users designers implementors these individuals interact with their job secured without properly addressing these security issues and No computer system can be 77 This chapter examines issues concerning the staffing of positions that interact with computer systems the administration of users on a system including considerations for terminating employee access and special considerations that may arise when contractors or the public have access to systems Personnel issues are closely linked to logical access controls discussed in Chapter Staffing 10 1 The 17 staffing process generally involves at least four steps well as to application managers system and can apply equally to general users as management personnel and security personnel These four steps are 1 defining the job normally involving the development of a position description 2 determining the sensitivity of the position 3 filling the position which involves screening applicants and selecting an individual and 4 training 10 1 1 Groundbreaking - Position Definition Early in the process of defining a position security issues should be identified and dealt with Once a position has been broadly defined the responsible supervisor should determine the type of computer access needed for the position access separation of duties There are two general principles to apply when granting and least privilege Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process For example in financial systems no single individual should normally be given authority to issue checks Rather one person initiates a request for a payment and another authorizes that same payment In effect checks and balances need to be designed into both the process as well as the specific individual positions of personnel process Ensuring that such duties are well defined is who the responsibility of will implement the management Least privilege refers to the security objective of granting users only those accesses they need to A distinction may is made between not be considered personnel users and personnel since i e employees 107 some users e g contractors and members of the public Operational Controls Data entry clerks for example may not have any need to run analysis reports of their database However least privilege does not mean that all users will have extremely little functional access some employees will have significant access if it is required for perform their official duties their position However applying errors or unauthorized use of this principle system resources may damage resulting from accidents important to make certain that the limit the It is implementation of least privilege does not interfere with the for each other without undue ability to have personnel substitute Without careful planning access control can delay interfere with contingency plans 10 1 2 Determining Position Sensitivity Knowledge of the duties and access levels that a particular position will require determining the sensitivity of the position The responsible management official identify position sensitivity levels so that appropriate cost-effective screening Various levels of sensitivity are assigned to positions appropriate level is in the federal necessary for should correctly can be completed government Determining the based upon such factors as the type and degree of harm private information interruption of critical processing is e g disclosure of computer fraud the individual can cause through misuse of the computer system as well as more traditional factors such as access to classified information on and fiduciary responsibilities Specific agency guidance should be followed this matter It is important to select the appropriate position sensitivity since controls sensitivity of the position wastes resources while too 10 1 3 Filling the Position Once a -- little may cause in excess of the unacceptable risks Screening and Selecting position's sensitivity has been determined the position is ready to be staffed In the federal government this typically includes publishing a formal vacancy announcement and which applicants meet the position requirements More sensitive positions typically require preemployment background screening screening after employment has commenced postidentifying entry-on-duty may suffice for less sensitive positions Background screening helps determine whether a particular individual for a given position is suitable For example in positions with high-level fiduciary responsibility the screening process will attempt to ascertain the person's in general duties and it is more effective to use separation of least privilege to limit the sensitivity position rather than relying TM k to the on screening to of the reduce o TM - BSBnmi MH HnHHniH trustworthiness and appropriateness for a particular position series In the federal government the screening process is formalized through a of background checks conducted through a central investigative office within the 108 Personnel I User Issues 10 organization or through another organization e g the Office of Personnel Management Within the Federal Government the most basic screening technique involves a check for a FBI criminal history checking fingerprint records and other federal indices 78 More extensive background checks examine other factors such as a person's work and educational history personal interview history of possession or use of illegal substances and interviews with current and former colleagues neighbors and depends upon the Screening is sensitivity friends The exact type of screening that takes place of the position and applicable agency implementing regulations not conducted by the prospective employee's manager rather agency security and personnel officers should be consulted for agency-specific guidance Outside of the Federal Government employee screening vary considerably background and among employees One accomplished in many ways Organizational policies and procedures normally try to balance and slander against the need to develop confidence may be technique in the integrity to place the individual in a less sensitive position person's background does not necessarily made based on mean they Even A the type of job the type of finding or incident and other is referred to as adjudication Employee Training and Awareness after a candidate has employees and in a are unsuitable for a particular job relevant factors In the federal government this process 10 1 4 of initially For both the Federal Government and private sector finding something compromising determination should be Policies organizations due to the sensitivity of examining an individual's qualifications fears of invasiveness is duties promoting still been hired the staffing process have to be trained to do As discussed in Chapter 13 their job cannot yet be considered complete - which includes computer security responsibilities such security training can be very cost-effective in security Some computer security experts argue that employees training before they are granted must receive initial computer security any access to computer systems Others argue that this must be a risk-based decision perhaps granting only restricted access or perhaps only access to their until the required training is PC completed Both approaches recognize that adequately trained employees are crucial to the effective functioning of computer systems and applications Organizations may provide introductory training prior to granting any access with follow-up more extensive training In addition although training of new users is critical it is important to recognize that security training and awareness activities should be ongoing during the time an 78 In the federal government separate and unique screening procedures are not established for each position Rather positions are categorized by general sensitivity and are assigned a corresponding level of background investigation or other checks 109 Operational Controls individual is a system user See Chapter 13 for a more thorough discussion Figure 10 1 10 2 User Administration Effective administration of users' computer access account management focuses on identification authentication is essential to maintaining system security User and access authorizations This augmented by the process of auditing and otherwise periodically is verifying the legitimacy of current accounts and access authorizations Finally there are considerations involved in the timely modification or removal of access and associated issues for employees promoted or terminated or who retire 110 who are reassigned 10 Personnel I User Issues User Account Management 10 2 1 User account management involves 1 the process of requesting establishing issuing and closing user accounts 2 tracking users and their respective access authorizations and 3 managing these functions User account management manager may be typically begins with a request system account for a sent through the application from the manager system manager This to the system user's supervisor to the have access to a particular application If a user is to will this request ensure that the systems office receives formal approval from the application manager for the employee to be The request given access will normally state the level of access to be granted perhaps by function or by specifying a particular user profile Often the same job a profile Systems operations of permitted authorizations staff will is when more new user The access doing is created normally then use the account request to create an account for the than one employee levels Example of Access Levels Within an Application of the account will be consistent with those requested by the supervisor This account will normally be assigned selected access authorizations These are sometimes directly into applications upon built and other times the operating system rely Add-on access Level Function 1 Create Records 2 Edit 3 Edit 4 Edit all records Group A records Group B records m applications are also used These access levels and authorizations are often tied to specific access levels within an application Next employees will be given their account information including the account identifier user ID and a means of authentication arise at this stage e g ACC5 is e g whether the user ID is password or smart card PIN One issue to be tied to the particular position an for an accountant or the individual employee e g Tying user IDs to positions may simplify administrative overhead make auditing more difficult as normally more advantageous to ID is one tie tries to trace the actions the user ID BSMITH in some for e g may that employee holds Brenda Smith cases however of a particular individual it may It is However if the user be established to change them if to the individual employee created and tied to a position procedures will have to employees switch jobs or are otherwise reassigned When employees training rules are given their account it is and awareness on computer security and regulations for system access To often convenient to provide issues initial or refresher Users should be asked to review a set of indicate their understanding of these rules organizations require employees to sign an acknowledgment statement which may many also state causes for dismissal or prosecution under the Computer Fraud and Abuse Act and other 111 Operational Controls applicable state and local laws When 79 Sample User Account and Password Acknowledgment Form user accounts are no longer required the supervisor should inform the application I rj manager and system management office so accounts can be removed in a timely manner One useful secondary check is to work with with user Ids listed below am responsible for protecting the and all applicable system will not divulge my password s to any person I further understand that of employee departures to the systems office tliat I understand security standards establish a procedure for routine notification 0 t password s will comply with the local organization's personnel officer to hereby acknowledge personal receipt of the system password s must report to the Information officer any problem I encounter in the use of the Further issues are discussed in the password s or when Termination section of private nature of my password s has been this chapter I Systems Security I have reason to believe that the compromised It is essential to realize that access authorization administration process New is and user accounts are added while others are deleted Permissions change sometimes permanently sometimes temporarily Tracking this wmemmam --ammsmmmmmmm m aimmmmmmmm a continuing information to keep it New up applications are added upgraded and removed to date is not easy but is necessary to allow users access to only those functions necessary to accomplish their assigned responsibilities - thereby helping maintain the principle of least privilege In managing these accounts there a need to balance timeliness of service and record keeping While sound record keeping practices are necessary delays in processing requests e g change requests really necessary - just Managing this is to may lead to requests for more access than is to avoid delays should such access ever be required process of user access decentralized Regional offices is may be also one that particularly for larger systems is often granted the authority to create accounts and change user access authorizations or to submit forms requesting that the centralized access control function make the necessary changes Approval of these changes approval of the 10 2 2 file owner and the supervisor of the is important - it may employee whose access is require the being changed Audit and Management Reviews From time to time it is necessary to review user account management on a system Within the area of user access issues such reviews may examine the levels of access each individual has conformity with the concept of least privilege whether management authorizations all accounts are still active whether are up-to-date whether required training has been completed and so forth 79 Whenever applicable by users are asked to sign a document appropriate review by organizational legal counsel and employee bargaining units should be accomplished 112 if Personnel I User Issues 10 80 These reviews can be conducted on at least two levels 1 on an application-by-application basis or 2 on a systemwide basis Both kinds of reviews can be conducted by among others house systems personnel For example a good practice all access levels of which will is managers and data owners for application application users all in- a self-audit the organization's internal audit staff or external auditors every month - and if different to sign a formal access approval provide a written record of the approvals While it may initially reviews should be conducted by systems personnel they usually are not review list appear that such fully effective System personnel can verify that users only have those accesses that their managers have specified However because access requirements application manager who may change over time it is important to involve the often the only individual in a position to is know current access requirements Outside audit organizations may also conduct audits This may e g the Inspector General IG or the General Accounting Office For example the IG may direct a more extensive review of permissions involve discussing the need for particular access levels for specific individuals or the number of users with sensitive access For example how many employees should really have authorization to the check-printing function Auditors will also examine non-computer access by reviewing for example who should have physical access to the check printer or blank-check stock 10 2 3 Detecting Unauthorized Illegal Activities Several mechanisms are used besides auditing and illegal acts 81 and analysis of audit trails to See Chapters 9 and 18 For example fraudulent activities regular physical presence of the perpetrator s In such cases the fraud the employee's absence Mandatory vacations help detect such activity however this the employees to handle upon any upon is It is system will is S1 used to identify possible income level of managing a system involves keeping user access authorizations up to Access authorizations are typically changed under two types of circumstances job so problems are saved for Temporary Assignments and In-house Transfers significant aspect date in if have to function during periods of absence indications of illegal activity e g living a lifestyle in excess of known One detected during useful to avoid creating an excessive dependence Particularly within the government periodic rescreening of personnel 10 2 4 may be require the and applications personnel can not a guarantee for example their return single individual since the for critical systems detect unauthorized may role either Note temporarily that this is not The term auditing is e g an either or distinction used here in a 1 change while covering for an employee on sick leave or permanently broad sense to refer to the 113 review and analysis of past events Operational Controls e g after an in-house transfer and 2 termination discussed in the following section Users often are required to perform duties outside their normal scope during the absence of others This requires additional access authorizations Although necessary such extra access authorizations should be granted sparingly and monitored carefully consistent with the need to maintain separation of duties for internal control purposes Also they should be removed promptly when no longer required Permanent changes are usually necessary when employees change positions within an organization In this case the process of granting account authorizations described in Section At 10 2 1 will occur again this time Many the prior position be removed however employees continuing to maintain access organization This practice 10 2 5 is is it also important that access authorizations of instances of authorization creep have occurred with rights for previously held positions within an inconsistent with the principle of least privilege Termination Termination of a user's system access generally can be characterized as either friendly or may occur when an employee is voluntarily transferred resigns retires Unfriendly termination may include situations when the unfriendly Friendly termination to accept a better position or user is being fired for cause RIFed situation is more common but 10 2 5 1 Friendly 82 or involuntarily transferred Fortunately the former security issues have to be addressed in both situations Termination Friendly termination refers to the removal of an employee from the organization reason to believe that the termination expected regularly this is usually is when there is no other than mutually acceptable Since terminations can be accomplished by implementing a standard of procedures for set outgoing or transferring employees These are part of the standard employee out-processing and are put in place for example to ensure that system accounts are removed Out-processing often involves a sign-out form interest in the separation initialed in a timely manner by each functional manager with an This normally includes the group s managing access controls the control of keys the briefing on the responsibilities for confidentiality and privacy the library the property clerk and several other functions not necessarily related to information security In addition other issues should be examined as well The continued availability example must often be assured In both the manual and the electronic worlds of data for this may involve documenting procedures or filing schemes such as how documents are stored on the hard disk and how are they backed up Employees should be instructed whether or not to clean up their 82 R1F is a term used within the government as shorthand for reduction in force 114 10 PC to before leaving If cryptography is Personnel I User Issues used to protect data the availability of cryptographic keys management personnel must be ensured Authentication tokens must be collected do employees know what information they are allowed to share with their immediate organizational colleagues Does this differ from the information they may share with the public These and other organizational- specific issues should be addressed throughout an organization to ensure continued access to data and to provide Confidentiality of data can also be an issue For example continued confidentiality and integrity during personnel transitions Many of these issues should be addressed on an ongoing basis not just during personnel transitions The training and awareness program normally should address such 10 2 5 2 Unfriendly issues Termination Unfriendly termination involves the removal of an employee under involuntary or adverse conditions This may include termination for cause RIF involuntary transfer resignation for personality conflicts and situations with pending grievances may multiply and complicate security issues Additionally terminations are The still greatest threat present but addressing all The tension them may be considerably more from unfriendly terminations likely to is in such terminations of the issues involved in friendly difficult come from those personnel who are capable of changing code or modifying the system or applications For example systems personnel are ideally positioned to wreak considerable havoc on systems operations Without appropriate safeguards personnel with such access can place logic to erase a disk in code that will not even execute until after the bombs e g a hidden program employee's departure Backup copies can be destroyed There are even examples where code has been held hostage But other employees such as general users can also cause damage Errors can be input purposefully documentation can be misfiled and other random errors can be made Correcting these situations can be extremely resource intensive Given the potential for adverse consequences security system access be terminated as quickly as possible system access should be removed their dismissal When at the in specialists routinely recommend such situations If employees are to be same time or just before the employees are an employee notifies an organization of a resignation and reasonably expected that it is it fired notified of can be on unfriendly terms system access should be immediately terminated During the notice period area and function This that may be it may be necessary to assign the individual to a restricted particularly true for employees capable of changing programs or modifying the system or applications In other cases physical removal from their offices and of course logical removal when logical access controls 115 exist may suffice Operational Controls Contractor Access Considerations 10 3 Many federal agencies as well as private organizations use contractors and consultants to assist with computer processing Contractors are often used for shorter periods of time than regular employees This factor higher turnover among may change the cost-effectiveness of conducting screening The often contractor personnel generates additional costs for security programs in terms of user administration Public Access Considerations 10 4 Many federal agencies have begun to design develop electronic dissemination of information to the public by allowing the public to receive it When to send information to the and implement public access systems for Some systems provide electronic interaction government e g electronic tax filing as well as systems are made available for access by the public or a large or significant subset thereof additional security issues arise due to 1 increased threats against public access systems and 2 the difficulty of security administration While many computer systems have been OMB Circular A- 130 Appendix m Security of victims of hacker attacks public access systems are well known and have Federal Automated Information and published phone numbers and network access IDs In r bom recommend addition a successful attack could result in a lot NIST CSL Bulletin Security Issues in Public Access Systems segregating information f directly accessible to the public from - made o official records of publicity For these reasons public access systems are subject to a greater threat mmmmmmmmm imm from hacker attacks on the confidentiality availability and integrity of information processed by a system In general when a system constraints on is its made it is safe to say that available for public access the risk to the system increases - and often the use are tightened Besides increased risk of hackers public access systems can be subject to insider malice For example an unscrupulous user such as a disgruntled employee data files public access systems could have a substantial impact level may try to introduce errors into intended for distribution in order to embarrass or discredit the organization Attacks on of public confidence due to the high visibility on the organization's reputation and the of public access systems Other security problems may arise from unintentional actions by untrained users In systems without public access there are procedures for enrolling users that often involve some user training and frequently require the signing of forms acknowledging user responsibilities In mechanisms can be developed to In public access systems users are often anonymous This can addition user profiles can be created and sophisticated audit detect unusual activity by a user complicate system security administration 116 10 In most systems without public access users are typically a contractors In this Personnel I User Issues mix of known employees or case imperfectly implemented access control schemes may be tolerated However when opening up a system to public access additional precautions may be necessary because of the increased threats Interdependencies 10 5 User issues are tied to topics throughout Training and Awareness discussed computer handbook Chapter 13 in is a critical part of addressing the user issues of security Identification and Authentication and Access Controls people from doing what the computer Policy this The recognition by computer is in a computer system can only prevent instructed they are not allowed to do as stipulated by security experts that much more harm comes from people doing what they are allowed to do but should not do points to the importance of considering user issues in the computer security picture and the importance of Auditing Policy particularly effect arises will among its compliance component users when they is closely linked to personnel issues A deterrent are aware that their misconduct intentional or unintentional be detected These controls also depend on manager's employees and 1 selecting the right type and level of access for their 2 informing system managers of which employees need accounts and what type of access they require and 3 promptly informing system managers of changes to access requirements Otherwise accounts and accesses can be granted to or maintained for and level people who should not have them Cost Considerations 10 6 There are many security costs under the category of user Screening -- -- When these are -- 83 Costs of training needs assessments training materials course forth as discussed separately in User Administration 83 Among Costs of initial background screening and periodic updates as appropriate Training and Awareness and so issues Chapter fees 13 Costs of managing identification and authentication which particularly for analyzing the costs of screening it is important to realize that screening requirements wholly unrelated to computer security 117 is often conducted to meet Operational Controls large distributed systems Access Administration -- may be rather significant Particularly beyond the initial account set-up are ongoing costs of maintaining user accesses currently and completely Auditing -- Although such costs can be reduced somewhat when using automated consistent resource-intensive human review is still tools often necessary to detect and resolve security anomalies References and M Kratz Information Systems Security A Practitioner's NY Van Nostrand Reinhold 1993 See especially Chapter 6 Fites P National Institute of Standards and Technology Security Issues Computer Systems Laboratory Bulletin May in Reference New York Public Access Systems 1993 North S To Catch a Xrimoid ' Beyond Computing 1 1 1992 pp 55-56 Pankau E The Consummate Investigator Security Management 37 2 1993 pp 37-41 Schou C W Machonachy Professionalism for the Wagner M Lynn McNulty and A Chantker Information Security 1990s Computer Security Journal 9 1 1992 pp 27-38 Possibilities F Are Endless and Frightening Open Systems Today November 8 136 1993 pp 16-17 Wood C Be Prepared Before Wood C Duress Terminations and Information Security Computers You Fire Infosecurity 1993 pp 527-535 118 News 5 2 1994 pp 51-54 and Security 12 6 Chapter 11 PREPARING FOR CONTINGENCIES AND DISASTERS A computer security contingency is an event with the potential to disrupt computer operations thereby disrupting critical mission and business functions Such an event could be a outage hardware disaster To failure fire or storm If the event is very destructive it is power often called a 84 avert potential contingencies and disasters or minimize the damage they cause Contingency planning directly supports an organization's goal of continued operations organizations can take steps early to control Organizations practice contingency planning because the event Generally called contingency planning 85 o - o this activity is incident handling i j closely related to i i which primarily addresses it makes good business sense malicious technical threats such as hackers and viruses 86 Contingency planning involves more than planning for a move data center It also addresses how to keep an organization's offsite after a disaster destroys a critical functions operating in the event of disruptions both large and small This broader perspective on contingency planning is based on the distribution of computer support throughout an organization This chapter presents the contingency planning process in six steps 84 85 87 1 Identifying the mission- or business-critical functions 2 Identifying the resources that support the critical functions 3 Anticipating potential contingencies or disasters 4 Selecting contingency planning strategies There is no distinct dividing line between disasters and other contingencies Other names include disaster recovery business continuity continuity of operations or business resumption planning 86 Some organizations include incident handling as a subset of contingency planning The relationship is further discussed in Chapter 12 Incident Handling 87 The Some organizations and methodologies specific steps can may use a different order nomenclature number or combination of steps be modified as long as the basic functions are addressed 119 Operational Controls 5 Implementing the contingency strategies 6 Testing Step 11 1 and 1 revising the strategy Identifying the Mission- or Business-Critical Functions Protecting the continuity of an organization's mission or business is very difficult if it is not This chapter refers to an organization as having Managers need to understand the organization from a point of j 1 the area they view that usually J J J extends beyond control The definition of an organization's critical clearly identified A critical is is normally on performing a mission such as providing citizen benefits In private mission or business functions mission or business functions In government organizations the focus % X organizations the focus is normally on conducting a business such as manufacturing widgets often called a business plan Since the development of a business plan will be used to support contingency planning necessary not only to identify A fully redundant critical capability for each function is prohibitively expensive for In the event of a disaster certain functions will not be performed been set it is missions and businesses but also to set priorities for them and approved by senior management it most organizations If appropriate priorities could mean the difference have in the organization's ability to survive a disaster Step 11 2 Resources That Support Critical 2 Identifying the Functions After identifying critical missions and business functions it is necessary to identify the In many cases the longer an organization more is without a becomes For supporting resources the time frames in resource the which each resource example the longer a garbage collection strike is used e g is the i resource needed constantly or only i at the the j end more critical the situation critical the situation lasts becomes wm--kw moB mmmmu--mmmmamimmmm of the month and the effect on the mission or business of the unavailability of the resource In identifying resources a traditional problem has been that different managers oversee different resources They may not mission or business should address relate to a 88 all The how resources interact to support the organization's of these resources are not computer resources Contingency planning the resources needed to perform a function regardless whether they directly computer However since resources Many realize 88 this is a computer security handbook logistics of coordinating the descriptions here focus on the computer-related contingency planning for computer-related and other resources consideration 120 is an important Preparing for Contingencies and Disasters The is analysis of needed resources should be conducted by those who how understand performed and the dependencies of various resources on other resources and other the function critical relationships This will allow an organization to assign priorities to resources since not elements of all resources are crucial to the 11 2 1 Human all critical functions Resources Resources That Support Critical Functions People are perhaps an organization's most obvious resource Some Human Resources functions require the Processing Capability of specific individuals some require effort specialized expertise and individuals who can be specific task technology some only Computer-Based Services Data and Applications require trained to perform a Physical Infrastructure Documents and Papers Within the information field human MBaBHBM HS lwl resources include both operators such as technicians or system programmers and users such as data entry clerks or information analysts 11 2 2 Processing Capability Traditionally contingency planning has focused down how can applications dependent on continue to be processed Although the need for data center backup remains vital on processing power i e if the data center mm mmm mm mmmmmmmmmmmmmmmmm mmm Contingency Planning Teams today's other processing alternatives are also important Local area networks LANs To understand what resources minicomputers workstations and personal of the six resource categories and to understand computers the resources support critical functions in all forms of centralized and distributed processing are needed from each A typical team contains representatives from various organizational elements and is often headed contingency planning coordinator Automated Applications and Data Computer systems run representatives 1 applications that versions of both applications and data If the processing is may by a has from the following three groups business-oriented groups such as management and 2 facilities 3 technology management not be possible being performed on alternate hardware the applications must be Various other groups are called on as needed compatible with the alternate hardware including financial management personnel training operating systems and other software safety including version and configuration and public affairs numerous other technical It representatives from functional areas process data Without current electronic computerized processing how often it is necessary to establish a contingency planning team may be performing critical tasks 11 2 3 is it factors Because of 121 computer security physical security and Operational Controls the complexity it is normally necessary to periodically verify compatibility See Step 6 Testing and Revising 11 2 4 An Computer-Based Services organization uses many different kinds of computer-based services to perform its functions The two most important are normally communications services and information services Communications can be further categorized as data and voice communications however in many organizations these are managed by the same service Information services include any source of information outside of the organization Many of these sources are becoming automated including on-line government and private databases news services and bulletin boards 11 2 5 Physical Infrastructure For people to work and utilities cabinets effectively they need a safe working environment and appropriate equipment This can include office space heating cooling venting power water sewage other utilities desks telephones fax machines personal computers terminals courier services and many other items In addition computers also need space and electricity utilities file such as Electronic and paper media used to store applications and data also have physical requirements 11 2 6 Many Documents and Papers functions rely on vital records and various documents papers or forms These records could be important because of a legal need such as being able to produce a signed copy of a loan or because they are the only record of the information Records can be maintained on paper microfiche microfilm magnetic media or optical disk Step 11 3 Although likely it is 3 Anticipating Potential Contingencies or Disasters impossible to think of all the things that can go wrong the next step is to identify a range of problems The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong Scenarios should include small and large contingencies While some general classes of contingency scenarios are obvious imagination and creativity as well as research can point to other possible but less obvious contingencies the resources described above contingency scenarios may The following The contingency scenarios should address each of examples of some of the types of questions that are address 122 Preparing for Contingencies and Disasters 11 Human Resources Can people work get to Are key personnel willing to cross a picket line Are there critical skills and knowledge Examples of Some Less Obvious Contingencies possessed by one person Can people easily A computer center in the basement of a building J get to an alternative site had a minor problem with rats Exterminators killed the rats but the bodies were not retrieved because Processing Capability Are the computers harmed What happens if they were hidden under the raised flooring and in the pipe conduits Employees could only enter the data some of the computers are inoperable but not center with gas all masks because of the decomposing rats Automated Applications and Data Has data integrity been affected Is 2 an application After the World Trade Center explosion when people reentered the building they turned on their sabotaged Can an application run on a computer systems to check for problems Dust and different processing platform smoke damaged many systems when they were turned on If the systems had been cleaned there would not have been significant damage Computer-Based Services Can the computers communicate To where Can people communicate Are information services down For how long Infrastructure Do people have a place to sit Do they have equipment to do their jobs Can they occupy the building Documents Paper Can needed records be found Are they readable Step 11 4 The next step is 4 Selecting to plan how Contingency Planning Strategies to recover needed resources In evaluating alternatives it is necessary to consider what controls are in place to prevent and minimize contingencies Since no set of controls can cost-effectively prevent all contingencies it is necessary to coordinate prevention and recovery efforts A contingency planning and resumption limit strategy normally consists of three parts Emergency response encompasses damage Recovery functions resumption 89 89 Some Resumption is initial actions taken to protect lives and refers to the steps that are taken to continue support for critical is important the emergency response recovery the return to normal operations The longer it The relationship between recovery and takes to resume normal operations the longer the organizations divide a contingency strategy into emergency response backup operations and recovery different terminology can be confusing especially the use of conflicting definitions of recovery although the basic functions performed are the same 123 The Operational Controls organization will have to operate in the recovery mode The selection of a strategy needs to be based on practical considerations different categories Example The including feasibility and cost of resources should each be considered Risk assessment If the 7 system administrator for a LAN has to be out of the office for a long time due to illness or an accident arrangements are made for the system administrator of another to perform the LAN duties Anticipating this the absent administrator can be used to help estimate the cost of should have taken steps beforehand to keep documentation current options to decide on an optimal This strategy For example strategy more is it move inexpensive but service will probably be processing to an LANs which may prompt the manager of the loaned administrator to partially renege on the agreement expensive to purchase and maintain a generator or to is significandy reduced on both Example An organization depends on an on-line 2 alternate site considering the likelihood service provided by a commercial vendor of losing electrical power for various longer able to obtain the information manually comparable services of a loss of computer-related resources The various recovery strategies e g from is no a reference In this case the organization relies on the contingency plan of the service provider The organization pays a of sufficiently high to warrant the cost information organization book within acceptable time limits and there are no other Are the consequences lengths of time The premium risk to obtain priority service in case the service provider has to operate at reduced capacity assessment should focus on areas where it not clear which strategy is Example #3 is A large mainframe data center has a contract with a hot site vendor has a contract with the telecommunications carrier to the best reroute communications to the hot site has plans to move people and stores up-to-date copies of data applications and needed paper In developing contingency planning strategies there are consider in many The contingency plan is expensive but management has decided that the expense is fully justified records off-site factors to addressing each of the Example #4 An organization resources that support critical functions presented Some examples major are sites distributes its processing personal computers and minicomputers If one site in the sidebars among two each of which includes small to medium processors other can carry the critical load until more equipment is lost is the purchased Routing of data and voice communications can be performed 11 4 1 Human transparently to redirect Resources other site traffic Backup copies are stored at the This plan requires tight control over the architectures used and types of applications that are developed to ensure To ensure an organization has access to workers with the right skills compatibility In addition personnel at both sites and must be cross- trained to perform all functions knowledge training and documentation of knowledge are needed During a major contingency people under significant stress and will be may panic If the contingency is a regional disaster their first concerns will probably be their family and property In addition many people will be either unwilling or unable to come to work Additional hiring or temporary may introduce security vulnerabilities services can be used The use of additional personnel Contingency planning especially for emergency response normally places the highest emphasis 124 on the protection of human Preparing for Contingencies and Disasters life 11 4 2 Processing Capability Strategies for processing capability are normally grouped into five categories hot site cold site redundancy reciprocal agreements and hybrids These terms originated with recovery strategies for data centers but can be applied to other platforms - A building 1 Hot 2 Cold 3 Redundant site site - already equipped with processing capability and other services A building site - for housing processors that can be easily adapted for use A site equipped and configured exactly like the primary site Some organizations plan on having reduced processing capability after a disaster and use partial redundancy The stocking of spare personal computers or LAN servers also provides some redundancy 4 Reciprocal agreement While this An agreement that allows two organizations to back each other up approach often sounds desirable contingency planning experts note that alternative has the greatest this chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change 5 Hybrids - Any combinations of the above such as using having a hot a redundant or reciprocal agreement site is damaged by site as a backup in case a separate contingency Recovery may include several stages perhaps marked by increasing availability of processing capability Resumption planning may include contracts or the ability to place contracts to replace equipment 11 4 3 Automated Applications and Data regular backup The need for computer security does not go away when an organization is processing in a contingency mode In some cases need ma y increase due to T sharing processing Normally the primary contingency strategy for applications and data t n nr and is or - secure offsite storage Important o7 decisions to be addressed include the backup is performed stored off-site and how how it is how often it ' concentrating resources J' in fewer sites or using additional contractors often site and consultants Security should be an important consideration is transported to storage to an alternate processing facilities when selecting contingency strategies or to support the resumption of normal operations 125 Operational Controls 11 4 A Computer-Based Services Service providers may reroute calls transparently to the user to a reroute Hot sites is down traffic service provider communications be carried on difficult Voice communications offer contingency services new location it may be possible to use another carriers is may can also If one However the type of important Local voice service Local data communications especially for large volumes In addition resuming normal operations communications Data communications are usually capable of receiving data and voice communications carrier lost either local or long distance cellular can carriers often is may normally more require another rerouting of services 11 4 5 Physical Infrastructure Hot sites and cold sites may also offer office space in addition to processing capability support Other types of contractual arrangements can be made for office space security services furniture and more in the event of a contingency If the contingency plan calls for moving offsite procedures need to be developed to ensure a smooth transition back to the primary operating facility or to a new facility Protection of the physical infrastructure of the emergency response plan such as use of fire is normally an important part extinguishers or protecting equipment from water damage 11 4 6 Documents and Papers The primary contingency other medium and electronic ones Once usually backup onto magnetic 11 5 1 optical microfiche paper or Paper documents are generally harder to backup than 5 Implementing the Contingency Strategies the contingency planning strategies have been selected preparations Much offsite storage is A supply of forms and other needed papers can be stored offsite Step 11 5 strategy document the strategies and train employees it is necessary to Many of these make appropriate tasks are ongoing Implementation preparation is needed to implement the strategies for protecting supporting resources For example one backing up files and applications Another contingency strategy add contingency common calls for services is preparation is to establish contracts them Existing service contracts critical functions and and agreements may need if the to be renegotiated to Another preparation may be to purchase equipment especially to support a redundant capability 126 their to establish procedures for 11 It is Preparing for Contingencies and Disasters important to keep preparations including documentation up-to-date Computer Backing up data files and applications systems change rapidly and so should backup of virtually every contingency plan Backups are services and redundant equipment Contracts used for example to restore files after a personal computer virus corrupts the and agreements may also need to reflect the changes If additional equipment is must a critical part or after a hurricane destroys a data processing center it be maintained and periodically replaced when fits needed files is it is no longer dependable or no longer the organization's architecture Preparation should also include formally designating people in the who are responsible for various tasks event of a contingency These people are often referred to as the contingency response team This team often is composed of people who were a part of the contingency planning team There are many important implementation issues for an organization are 1 how many plans should be developed and 2 who Two of the most important prepares each plan Both of these questions revolve around the organization's overall strategy for contingency planning answers should be documented in The organization policy and procedures How Many Plans Some organizations have just one plan for the entire organization and others have a plan for Relationship Between Contingency Plans every distinct computer system application or other resource Other approaches recommend and Computer Security Plans a plan for each business or mission function with For small or separate plans as needed for critical resources plan less complex systems the contingency may be a part of the computer larger or more complex systems security plan For the computer security plan could contain a brief synopsis of the The answer to the question therefore depends upon the unique circumstances for each organization But it is critical to coordinate contingency plan which would be a separate document BiiliiiilBIMIII-- -- between resource managers and functional managers who are responsible for the mission or business Who If Prepares the Plan an organization decides on a centralized approach to contingency planning name a contingency planning coordinator The coordinator prepares with various functional and resource managers Some with the functional and resource managers 127 it may be best to the plans in cooperation organizations place responsibility directly Operational Controls 11 5 2 Documenting The contingency plan needs and stored A written plan is critical during in a safe place who developed the plan to be written kept up-to-date as the is unavailable It a contingency especially should clearly state It is in if the person simple language the sequence of someone with minimal knowledge tasks to be performed in the event of a contingency so that could immediately begin to execute the plan system and other factors change generally helpful to store up-to-date copies of the contingency plan in several locations including any off-site locations such as alternate processing sites or backup data storage facilities 11 5 3 Training New All personnel should be trained in their contingency-related duties trained as they join the organization refresher training practice their Training no time is to is particularly important for effective employee response during emergencies There check a manual to determine correct procedures necessary Step 11 6 personnel will need to skills nature of the emergency there Practice personnel should be may be needed and in may or may there is a fire Depending on the not be time to protect equipment and other assets order to react correctly especially 6 if is when human safety is involved Testing and Revising A contingency plan should be tested periodically because there will undoubtedly be Contingency plan maintenance can be incorporated flaws in the plan and in into procedures for The plan will its implementation become dated in the p an- as the resources used to support critical functions change Responsibility for keeping change management so that upgrades to hardware and software are reflected as time passes and wmmmmmmmmmtmmmmmmmmKmmmmmmmmmmmmmmmmmmm the contingency plan current should be specifically assigned The extent and frequency of testing will vary between organizations and among systems There are several types of testing including reviews analyses and simulations of disasters A review can be a simple test to instance a reviewer could responsibilities that check check the accuracy of contingency plan documentation For if individuals listed are caused them to be included still if files can be restored from backup tapes or 128 organization and still have the This test can check home and work room numbers The review can if employees know emergency procedures in the plan telephone numbers organizational codes and building and determine in the Preparing for Contingencies and Disasters 11 An analysis may be performed on plan or portions of response procedures It is r iTnr irriwmMmwniTminnrinw beneficial if the J test often implies a grade assigned r f for a specific level of performance or simply pass or is good working knowledge of the analyst s may mentally foUow m critical function and supporting resources test logic or process used analyst may by the However in the case the strategies in a f contingency planning should be used to improve the plan If organizations do not use this approach flaws P lan may remain hidden and uncorrected The in the wa Mnn Hs H amnmnHHHi the contingency plan looking for flaws in the The -r o 1 Hie results of a performed by j someone who did not f help develop the contingency plan but has a analysis J -- i the entire such as emergency it plan's developers also interview functional managers resource managers and their staff to uncover missing or unworkable pieces of the plan Organizations about flaws may in the also arrange disaster simulations These tests provide valuable information contingency plan and provide practice for a real emergency While they can be expensive these tests can also provide critical information that can be used to ensure the continuity of important functions In general the addressed in the critical the functions it is to and the resources perform a disaster simulation Interdependencies 11 7 Since more contingency plan the more cost-beneficial all controls help to prevent contingencies there is an interdependency with all of the controls in the handbook Risk Management provides a tool for analyzing the security costs and benefits of various contingency planning options In addition a risk management effort can be used to help identify critical resources needed to support the organization and the likely threat to those resources It is not necessary however to perform a risk assessment prior to contingency planning since the identification of critical resources can be performed during the contingency planning process itself Physical and Environmental Controls help prevent contingencies Although many of the other controls such as logical access controls also prevent contingencies the major threats that a contingency plan addresses are physical and environmental threats such as plumbing breaks or natural fires loss of power disasters Incident Handling can be viewed as a subset of contingency planning It is the emergency response capability for various technical threats Incident handling can also help an organization prevent future incidents Support and Operations in most organizations includes the periodic backing up of files 129 It also Operational Controls includes the prevention and recovery corrupted data Policy The is files needed to create and document the organization's approach to contingency planning Cost Considerations cost of developing and implementing contingency planning strategies can be significant especially too as a disk failure or policy should explicitly assign responsibilities 11 8 The from more common contingencies such if many the strategy includes contracts for One contingency benefits may be backup services or duplicate equipment There are options to discuss cost considerations for each type cost that is often overlooked is the cost of testing a plan Testing provides and should be performed although some of the less many expensive methods such as a review sufficient for less critical resources References M Alexander ed Guarding Against Computer Calamity Info security News 4 6 1993 pp 26-37 Coleman R Six Steps to Disaster Recovery Security Dykman C and C Davis eds Control Objectives - Management Controls in an Information Systems Environment Objectives Guidelines and Audit Procedures fourth The EDP Fites P Auditors Foundation Inc 1992 especially Chapter and M Kratz Information Systems Security NY Van Nostrand FitzGerald J 37 2 1993 pp 61-62 A edition Carol Stream IL 3 5 Practitioner's Reference New York Reinhold 1993 esp Chapter 4 pp 95-1 12 Risk Ranking Contingency Plan Alternatives Information Executive 3 4 1990 pp 61-63 Helsing C Business Impact Assessment Isaac I Guide on Selecting Gaithersburg Kabak I MD ISSA Access 5 3 1992 pp 10-12 ADP Backup Process Alternatives National Bureau of Standards November Special Publication 500-124 1985 and T Beam On the Frequency and Scope of Backups Information Executive 4 2 1991 pp 58-62 130 11 Kay R What's Hot Lainhart J at Preparing for Contingencies and Disasters Hotsites Infosecurity News 4 5 1993 pp 48-52 and M Donahue Computerized Information Systems CIS Audit Manual Guideline to CIS Auditing in Governmental Organizations Carol Stream IL The Foundation Inc A EDP Auditors 1992 National Bureau of Standards Guidelines for ADP Contingency Planning Federal Information Processing Standard 87 1981 R and J Haskett Disaster Recovery Planning for Academic Computing Centers Communications of the ACM 33 6 1990 pp 652-657 Rhode 131 Chapter 12 COMPUTER SECURITY INCIDENT HANDLING Computer systems are subject to a wide range of mishaps Some to natural disasters e g repaired e g by restoration from the backup a mistakenly deleted file More result to viruses file can usually be readily severe mishaps such as outages caused disasters are normally addressed in an organization's damaging events files of these mishaps can be fixed through standard operating procedures For example frequently occurring events by natural - from corrupted data from deliberate malicious technical contingency plan Other activity e g the creation of viruses or system hacking A computer security incident can result computer from a virus other malicious code or a Malicious code include viruses as well as Trojan A virus is a code segment that by attaching copies of itself to existing system intruder either an insider or an horses and worms outsider It is used in this chapter to broadly r xrefer to those incidents resulting from replicates executables o deliberate malicious technical activity more It A Trojan horse is a program that r f performs a desired task but also includes unexpected can functions A worm is a self-replicating program generally refer to those incidents that without technically expert response could damage result in severe 91 This definition of a computer security incident is somewhat flexible and may vary by organization and computing environment Although the threats that hackers and malicious code pose to systems and networks are well known the occurrence of such harmful events remains unpredictable Security incidents on larger networks e g the Internet such as break-ins and service disruptions have harmed various organizations' computing capabilities When initially confronted with such incidents most organizations respond in an ad hoc manner However recurrence of similar incidents often makes it cost-beneficial to develop a standing capability for quick discovery of events This increasing is especially true since incidents can often spread damage and Incident handling is when and response to such left unchecked thus seriously harming an organization An closely related to contingency planning as well as support and operations incident handling capability may be viewed as a component of contingency planning because provides the ability to react quickly and efficiently to disruptions in it normal processing Broadly speaking contingency planning addresses events with the potential to interrupt system operations Incident handling can be considered that portion of contingency planning that responds to 90 91 Organizations Indeed may wish damage may to expand this to include for example incidents of theft result despite the best efforts to the contrary 133 Operational Controls malicious technical threats This chapter describes how organizations can address computer security incidents in the context of their larger computer security program by developing a computer security incident handling capability Many 92 organizations handle incidents as part of their user support capability discussed in Chapter 14 or as a part of general system support Benefits of an Incident Handling Capability 12 1 The primary benefits of an incident handling capability are containing and preventing future damage In addition there are incidents less and repairing damage from obvious side benefits related to establishing an incident handling capability When Damage From Containing and Repairing 12 1 1 left unchecked malicious software can significantly harm an Some organization's connectivity An incidents 93 eradicated For incident handling capability provides a way organizations suffer repeated outbreaks of viruses because the viruses are never completely computing depending on the technology and its Incidents example suppose two LANs Personnel and Budget are connected and a virus has for users to report spread within each The administrators of each and the appropriate response and detect the virus and decide to eliminate LAN The eradicates the virus but since the personnel and virus identification software are prepositioned ready to be used as necessary Moreover the organization will Budget administrators supportive sources reinfected and An such incidents is well but both are incident handling capability allows in a skilled coordinated manner efforts Without an incident handling capability responses - although well individuals have 92 See 93 A good intentioned unknowingly infected NIST Special - can anti- virus actually make matters worse In incident handling capability is be reported early thus helping to some cases software with viruses and then spread them to Publication 800-3 Establishing an Incident Response Capability November 1991 closely linked to an organization's training and awareness program do when they occur This can increase minimize damage have educated users about such incidents and what will may think all reinfects the Both organizations to address recovery and containment of managerial to aid in containment and certain However the virus LAN from the Personnel LAN made important contacts with other recovery LAN their Personnel eradicates the virus have already e g legal technical on LAN administrator first Budget LAN is not yet virus-free the Personnel LAN is reinfected Somewhat later the Budget LAN administrator assistance to be provided to aid in recovery Technical capabilities e g trained it to 134 It will the likelihood that incidents 12 When other systems viruses spread to local area networks LANs computers can be infected within hours Moreover uncoordinated can prevent Many By doing especially program if all of the connected efforts to rid LANs of viruses their eradication organizations use large Internet most or Incident Handling LANs internally and also connect to public networks such as the so organizations increase their exposure to threats from intruder the organization has a high profile e g perhaps An incident handling capability can provide it is enormous activity involved in a controversial benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals as necessary located at Intruder activity whether hackers or malicious code can often affect many different network sites thus many systems handling the incidents can be logistically complex and can require information from outside the organization By planning ahead such contacts can be preestablished and the speed of response improved thereby containing and minimizing damage Other organizations may have guidance to offer speeding recovery and minimizing damage in 12 1 2 Preventing Future An may have already dealt with similar situations and very useful Damage incident handling capability also assists an organization in preventing or at least minimizing damage from future incidents Incidents can be studied internally to gain a better understanding of the organizations threats and vulnerabilities so more effective safeguards can be implemented Additionally through outside contacts established by the incident handling capability early warnings of threats and vulnerabilities can be provided Mechanisms will already be warn users of these The in place to risks from the incidents incident handling capability allows an organization to learn that it has experienced Data about past incidents and the corrective measures taken can be collected data can be analyzed for patterns - for example The which viruses are most prevalent which corrective actions are most successful and which systems and information are being targeted by hackers Vulnerabilities can also be identified in this process occurring to systems when a new software package or patch - for example is used whether damage is Knowledge about the types of threats that are occurring and the presence of vulnerabilities can aid solutions in identifying security This information will also prove useful in creating a more effective training and awareness program and thus help reduce the potential for losses The incident handling capability assists the training and awareness program by providing information to users as to measures that can help avoid incidents virus scanning in e g and 2 what should be done -- immii mm i ii Mi iii 1 MTmwMinnmimOTni wyiiitii i case an incident does occur The sharing of incident data among organizations can Of course help at both the national and the international ievels prevem md respond t0 breaches of security in a the organization's attempts to prevent future losses does not occur in a to timely coordinated manner -----___ ___ vacuum With a sound incident handling 135 Operational Controls capability contacts will have been established with counterparts outside the organization This allows for early warning of threats and vulnerabilities that the organization experienced Early preventative measures generally can then be taken to reduce future losses Data is more may have not yet cost-effective than repairing damage also shared outside the organization to allow others to learn from the organization's experiences 12 1 3 Side Benefits Finally establishing an incident handling capability helps an organization in perhaps unanticipated ways Three are discussed here Uses of Threat and Vulnerability Data Incident handling can greatly enhance the process An assessment incident handling capability will allow organizations to collect threat data that useful in their risk assessment and safeguard selection processes e g Incidents can be logged and analyzed to determine whether there other patterns are present as are sometimes seen if risk each incident were only viewed in isolation is in designing new may be systems a recurring problem or if hacker attacks which would not be noticed in Statistics on the numbers and types of incidents in the organization can be used in the risk assessment process as an indication of vulnerabilities and threats 94 Enhancing Internal Communications and Organization Preparedness Organizations often find that an incident handling capability enhances internal communications and the readiness of the organization to respond to any type of incident not just computer security incidents Internal communications will be improved management communications and contacts within public will have been preestablished The structure will be better organized to receive affairs legal staff set up law enforcement and other groups for reporting incidents can also be used for other purposes Enhancing the Training and Awareness Program The organization's training process can also benefit from incident handling experiences Based on incidents reported training personnel will have a better understanding of users' knowledge of security issues Trainers can use actual incidents to vividly illustrate the importance of computer security Training that current threats and controls recommended by is based on incident handling staff provides users with information more specifically directed to their current needs - thereby reducing the risks to the organization from incidents 94 It is it is important however not to assume that since only n reports were made that n not likely that all incidents will be reported 136 is the total number of incidents 12 Incident Handling Characteristics of a Successful Incident Handling Capability 12 2 A successful incident handling capability has several core characteristics an understanding of the constituency it will serve an educated constituency a means for centralized communications expertise in the requisite technologies and links to other groups to 12 2 1 Defining the Constituency to assist in incident handling as needed Be Served The constituency includes computer users and program managers Like any other customer- The focus of a computer security incident handling vendor relationship the constituency capability to take advantage of the capability if will tend the not always the entire affect its may be able to help other organizations and therefore help protect the organization For example an organization may may also an organization's computer security incident handling capability is An well as internal trading partners contractors or clients In addition services rendered are valuable The constituency may be external as incident that affects an organization community as a whole use several types of computers and networks but may decide that computer its incident handling capability cost-justified only for is may have determined its personal computer viruses pose a on other platforms Or a large organization composed of several sites may decide that current computer security efforts at some sites do not require an incident handling capability whereas other sites do perhaps because of the much users In doing so the organization larger risk than other malicious technical threats criticality 12 2 2 of processing Educated Constituency Managers need Users need to know including about accept and trust the incident handling capability or it who that they will about the existence of the capability and and report incidents Users know details about incidents future However users will not be forthcoming if they fear reprisal or programs users can become knowledgeable to recognize to discovered them and how so that they can prevent similar incidents in the will not be used Through training and awareness in the that need to how become scapegoats Organizations offer incentives to incidents and offer guarantees against reprisal or other adverse actions trust It may also be consider anonymous reporting value of the service will build with 137 may employees for reporting useful to Operational Controls reliable performance 12 2 3 Centralized Reporting and Communications Successful incident handling requires that users be able to report incidents to the incident handling team in a convenient straightforward fashion this successful incident handling capability depends consuming is on timely reporting to report incidents the incident handling capability some form of a hotline backed up by pagers works Centralized communications is A referred to as centralized reporting may If it is difficult or time not be fully used Usually well very useful for accessing or distributing information relevant to the incident handling effort For example if users are linked together via a network the incident handling capability can then use the network to send out timely announcements and other information Users can take advantage of the network to retrieve security information stored on servers and communicate with the 12 2 4 Technical Platform The technical staff knowledge skills incident response via e-mail and Communications Expertise members who comprise and team abilities the incident handling capability need specific Desirable qualifications for technical staff members may include the ability to work expertly with work in a some or all of the constituency's core technology group environment communicate effectively with different types of users administrators to unskilled users to management who will range from system to law-enforcement officials be on-call 24 hours as needed and travel on short notice of course this depends upon the physical location of the constituency to be served 12 2 5 Liaison Due With Other Organizations computer connectivity intruder activity on networks can affect many organizations sometimes including those in foreign countries Therefore an organization's to increasing team may need to work with other teams or security groups to effectively handle range beyond its constituency Additionally the team may need to pool its incident handling incidents that knowledge with other teams handling capability that it at various times Thus establish ties it is vital to the success of an incident and contacts with other related counterparts and 138 12 Incident Handling supporting organizations Especially important to incident handling are contacts with investigative agencies such as federal e g The Forum of and Security Teams Incident Response the FBI state and local law Laws that affect computer crime vary among localities and states and some actions may be state but not federal enforcement crimes It is The 1988 Internet worm incident highlighted the need to and sharing was also clear that any single team or hot line would simply be overwhelmed Out of this was born the concept of a for better methods for responding information about incidents important for teams to be familiar with current laws and to have established coalition of response contacts within law enforcement and teams It - each with its own constituency but working together to share investigative agencies information provide alerts and support each other in the response to incidents Incidents can also garner much media attention and can reflect quite negatively an organization's image capability may need to An work manufacturers and academia NIST serves as the secretariat of FIRST closely with the which is wmmmmmmmmmmmmmmmmmmmmm mm m news media In presenting information to the press that teams from government industry computer on incident handling organization's public affairs office trained in dealing with the The Forum of Incident Response and Security Teams FIRST includes would place the organization at important that it is 1 attackers are not given information greater risk and 2 potential legal evidence is properly protected Technical Support for Incident Handling 12 3 Incident handling will be greatly enhanced by technical mechanisms that enable the dissemination of information quickly and conveniently 12 3 1 The Communications for Centralized Reporting of Incidents technical ability to report incidents incident response many is is of primary importance since without knowledge of an precluded Fortunately such technical mechanisms are already in place in organizations For rapid response to constituency problems a simple telephone hotline convenient Some agencies help with other problems incident handling done by It staffing the it may be is practical and may already have a number used for emergencies or for obtaining may be practical and cost-effective to also use this number for necessary to provide 24-hour coverage for the hotline This can be answering center by providing an answering service for nonoffice hours or by using a combination of an answering machine and personal pagers 139 Operational Controls If additional mechanisms for contacting the team can be provided it may One way to establish a centralized reporting and incident handling incident response capability while minimizing increase access and thus benefit incident handling efforts that expenditures A centralized e-mail address forwards mail to staff members would calls permit the constituency to conveniently Providing a fax number may to use an existing Help Desk Many about commonly used applications troubleshooting system problems and providing help exchange information with the team to users is agencies already have central Help Desks for fielding in detecting and erad bating computer viruses By expanding the capabilities of the Help Desk and also be publicizing helpful its telephone number or e-mail address may be able to significantly improve its handle many different types of incidents at an agency ability to 12 3 2 Rapid Communications Facilities Some form of rapid communications essential for quickly minimal cost is communicating with the constituency as well as with management officials and outside organizations The team may need some convenient form of desirable With electronic mail the to send out security advisories or collect information quickly thus communications such as electronic mail is generally highly team can easily direct information to various subgroups within the constituency such as system managers or network managers and broadcast general alerts to the entire constituency as needed When connectivity already exists e-mail has low overhead and is easy to use However it is possible for the e-mail system itself to be attacked as was the case with the 1988 Internet worm Although there are substitutes for e-mail they tend to increase response time bulletin An board system BBS can work well for distributing information especially convenient user interface that encourages its use A BBS convenient to access than one requiring a terminal and connected to a network modem however the latter electronic provides a if it is more may be the only alternative for organizations without sufficient network connectivity In addition telephones physical bulletin boards and flyers can be used 12 3 3 Secure Communications Facilities Incidents can range from the trivial to those involving national security information about incidents using encrypted communications may be Often when exchanging advisable This will help prevent the unintended distribution of incident-related information Encryption technology is available for voice fax and e-mail communications 12 4 An Interdependencies upon other safeguards presented in this to other components of the contingency plan The incident handling capability generally depends handbook The most obvious is the strong link following paragraphs detail the most important of these interdependencies 140 12 Incident Contingency Planning As discussed in the introduction to this chapter an incident handling viewed as the component of contingency planning capability can be technical threats such as viruses or hackers Close coordination contingency planning efforts particularly Handling when is that deals with responding to necessary with other planning for contingency processing in the event of a serious unavailability of system resources Support and Operations Incident handling especially user support and backups the incident handling capability system resources may need is is also closely linked to support and operations For example for purposes of efficiency and cost savings often co-operated with a user help desk Also backups of to be used when recovering from an incident Training and Awareness The training and awareness program can benefit from lessons learned during incident handling Incident handling staff will be able to help assess the level of user awareness about current threats and Staff vulnerabilities members may be able to help train system administrators system operators and other users and systems personnel Knowledge of security precautions resulting from such training helps reduce future incidents important that users are trained what to report and how to report Risk Management The risk analysis process will benefit from numbers and types of incidents that It is also it statistics and logs showing the have occurred and the types of controls that are effective in preventing incidents This information can be used to help select appropriate security controls and practices Cost Considerations 12 5 There are a number of start-up costs and funding issues to consider when planning an incident handling capability Because the success of an incident handling capability relies so heavily on users' perceptions able to meet Personnel more of its worth and whether they use users' requirements An very important that the capability be important funding issues are incident handling capability plan might call for at least technical staff on the scope of the situations Two it it is some members effort staff one manager and one or program objectives Depending members may not be required In some or on an on-call basis Staff may be performing or their equivalent to accomplish however full-time may be needed staff part-time incident handling duties as an adjunct responsibility to their normal assignments Education and Training Incident handling staff will need to keep current with computer system and security developments Budget allowances need to be made therefore for attending conferences security seminars and other continuing-education events If an organization located in more than one geographic areas funds will probably be for handling incidents 141 is needed for travel to other sites Operational Controls References Brand Russell L Coping With the Threat of Computer Security Incidents A Primer from Prevention Through Recovery July 1989 Corporate Anti- Virus Effort Proceedings of the Third Annual Clinic Nationwide Computer Corp March 1990 Fedeli Alan Organizing a Computer VIRUS Holbrook and P J Reynolds eds Site Security Handbook RFC 1244 prepared for the Internet FTP from csrc nist gov put secplcy rfc 1244 txt Engineering Task Force 1991 National Institute of Standards and Technology Establishing a Computer Security Incident Response Capability Computer Systems Laboratory Padgett K Establishing Bulletin Gaithersburg MD February 1992 and Operating an Incident Response Team Los Alamos NM Los Alamos National Laboratory 1992 Pethia Rich and Kenneth van Wyk Computer Emergency Response - An International Problem 1990 Quarterman John The Matrix - Computer Networks and Conferencing Systems Worldwide Digital Press 1990 Scherlis William S Squires Schultz E D and R Pethia Computer Emergency Response 1989 Brown and T Longstaff Responding to Computer Security for Incident Handling University of California Technical Report Incidents Guidelines UCRL- 104689 1990 Proceedings of the Third Invitational Workshop on Computer Security Incident Response August 1991 Wack John Establishing an Incident Response Gaithersburg MD Capability Special Publication 800-3 National Institute of Standards and Technology 142 November 1991 Chapter 13 AWARENESS TRAINING AND EDUCATION People who are all fallible The purpose of computer are usually recognized as one of the weakest security awareness training and education is links in securing systems to enhance security by o improving awareness of the need to protect system resources o developing skills and knowledge so computer users can perform more their jobs securely and o building in-depth knowledge as needed to design implement or operate security programs for organizations and systems Making computer system users aware of their security responsibilities and teaching practices helps users change their behavior 95 It one of the most important ways to improve computer security measures and to The importance of this how first security Without knowing the necessary to use them users cannot be truly accountable for their actions training is emphasized training for those involved with the This chapter them correct which is also supports individual accountability discusses the in the management two overriding Computer Security Act which use requires and operation of federal computer systems benefits of awareness training and education namely 1 improving employee behavior and 2 increasing the ability to hold employees accountable for their actions Next awareness training and education are discussed separately with techniques used for each Finally the chapter presents one approach for developing a computer security awareness and training program 96 Behavior 13 1 People are a crucial factor resources Human sources combined more harm than in ensuring the security of computer systems and valuable information actions account for a far greater degree of computer-related loss than Of such losses the actions all of an organization's insiders normally cause other far the actions of outsiders Chapter 4 discusses the major sources of computer- related loss 95 One often-cited goal of training is changing people's attitudes This chapter views changing attitudes as just one step toward changing behavior 96 This chapter does not discuss the specific contents of training programs See the references for details of suggested course contents 143 Operational Controls The major causes of loss due to an organization's own employees are errors and omissions fraud and actions by disgruntled employees One principal purpose of security awareness education activity and omissions However to reduce errors is it training and can also reduce fraud and unauthorized by disgruntled employees by increasing employees' knowledge of their accountability and the penalties associated with such actions Management sets the example for behavior within an organization management does not care about and imparting valuable skills security no If employees know that training class teaching the importance of security can be truly effective This tone from the top has myriad effects an organization's security program Accountability 13 2 Both the dissemination and of policy are One of the keys to a successful computer security program is security awareness and training If employees are not informed of applicable the enforcement critical issues that are organizational policies and procedures they cannot implemented and strengthened through be expected to act effectively to secure computer Employees cannot be follow policies and procedures of training programs expected to resources which they are unaware In addition enforcing penalties may be difficult if users can claim ignorance when caught doing something wrong Training employees may also be necessary to show that a standard of due care has been taken protecting information Simply issuing policy with no follow-up to implement that policy may not suffice Many organizations use acknowledgment statements which state that employees have read and understand computer security requirements An example 13 3 is provided in Chapter 10 Awareness Security awareness programs 1 set the stage for training Awareness stimulates and motivates those by changing organizational realize the importance of security being trained to care about security and to consequences of its remind them of important security practices the procedures to failure attitudes to and the adverse and 2 remind users of be followed Explaining what happens to an organization its mission customers and employees if security fails motivates people to take security seriously Awareness can take on different forms for particular audiences Appropriate awareness for management officials might stress management's pivotal role in establishing organizational 144 in 13 attitudes toward Awareness Training and Education Appropriate awareness for other groups such as system programmers security or information analysts should address the need for security as systems environment almost everyone in an organization it relates to their job may have In today's access to system resources - and therefore may have the potential to cause harm Comparative Framework AWARENESS TRAINING EDUCATION What How Why- Level Information Knowledge Insight Objective Recognition Skill Understanding Media Practical Instruction Theoretical Instruction Attribute Teaching Method Test Measure Videos - Lecture - Discussion Seminar -Newsletters - Background reading -Posters etc Case study workshop Hands-on practice - - - True False Problem Solving Eassay Multiple Choice apply learning interpret learning Intermediate Long-term identify learning Impact Timeframe Short-term Figure 13 1 compares Awareness is some of the used to reinforce the differences in awareness training and education fact that security supports the mission of the organization by protecting valuable resources If employees view security as just bothersome rules and procedures they are more likely to ignore them In addition they may not make needed suggestions about improving security nor recognize and report security threats and vulnerabilities Awareness also is used to remind people of basic security practices such as logging off a computer system or locking doors Techniques A security awareness program can use many teaching 145 methods including video Operational Controls tapes newsletters posters bulletin boards flyers demonstrations briefings short reminder notices at log-on talks or lectures Awareness is often incorporated into basic security training and can use any method that can change employees' attitudes Effective security awareness programs need to be designed with the recognition that people Employees often regard computer security as an A common feeling is that tend to practice a tuning out process also obstacle to productivity known they are paid to produce not to protect as acclimation For example while a security poster no matter designed will be ignored it after a how well how will in effect simply blend into the environment For To help motivate employees awareness should emphasize security from a broader perspective contributes to productivity The consequences of poor security should be explained while avoiding the fear and this reason awareness techniques should be intimidation that employees often associate with creative and frequently changed security Training 13 4 The purpose of training is to teach people the skills that will enable them to perform their jobs more securely This includes teaching people what they should do and how they should or can do it Training can address many levels from basic security practices to more advanced or specialized skills It can be specific to one computer system or generic enough to address all systems Training on is most effective when targeted to a specific audience This enables the training to focus knowledge that people need performing their duties of audiences are general users and those who require specialized or advanced skills security-related job skills and Two General Users Most users need to understand good computer security practices such o types as protecting the physical area and equipment e g locking doors caring for floppy diskettes o protecting passwords if used or other authentication data or tokens e g never divulge PINs and o reporting security violations or incidents e g whom to call if a virus is suspected In addition general users should be taught the organization's policies for protecting information and computer systems and the roles and responsibilities of various organizational units with which they may have to interact 146 13 Awareness Training and Education unneeded details These people are the target of multiple training programs such as those addressing safety sexual In teaching general users care should be taken not to overburden them with harassment and AIDS in the workplace The training should be The goal security issues that directly affect the users to make everyone literate in all the Specialized or Advanced Training administrators to Many to useful by addressing groups need more advanced or more specialized For example managers may need to understand and costs so they can factor security into may need made improve basic security practices not jargon or philosophy of security training than just basic security practices security consequences is know how their decisions or system to implement and use specific access control products There are many different ways to identify who need specialized or One method is to look at individuals or groups One group advanced training is executives training training for job categories such as executives functional rather managers or technology providers Another method is A third method is to look been targeted for specialized and functional managers The management personnel is specialized man advanced because managers do not as a general rule need to understand the technical details to look at job functions such as of security However they do need to understand system design system operation or system use that has how to organize direct and evaluate security measures and programs They also need to at the specific understand risk acceptance technology and products used especially for advanced training for user groups and training for a new system This is further discussed in the section 13 6 of this chapter Techniques A security training program normally includes training classes to security or as added special sections or modules within existing be computer- or lecture-based or both and Training like awareness also happens training classes Training may include hands-on practice and case studies on the job Education 13 5 Security education is more in-depth than and those whose jobs require expertise Techniques Security education training programs education may either strictly devoted is It is is security training and is targeted for security professionals in security normally outside the scope of most organization awareness and more appropriately a part of employee career development Security obtained through college or graduate classes or through specialized training programs Because of this most computer security programs focus primarily on awareness and 147 Operational Controls training as does the remainder of this chapter Implementation 98 13 6 An 97 effective computer security awareness and training CSAT program requires proper planning implementation maintenance and periodic evaluation The following seven steps constitute one approach for developing a CSAT program Program Scope Goals and Objectives Step 1 Identify Step 2 Identify Training Staff Step 3 Identify Target Audiences Step 4 Motivate Management and Employees Step 5 Administer the Program Step 6 Maintain the Program Step 7 Evaluate the Program Program Scope Goals and 13 6 1 Identify The Computer Security Act of 1987 requires Objectives training in The is first step in developing a CSAT and objectives The scope of the program should provide with the management use or operation of each who interact with federal CSAT training to all types of federal 97 which Other federal requirements for computer security entire relates directly to their use The scope and goals of computer security awareness and training programs must implement this broad mandate OMB Circular A- 130 OPM regulations training are contained in organization or a subunit Since users need training computer system within or under the supervision of that agency computer systems The scope of the program can be an computer security awareness and accepted computer practices of all employees who are involved program to determine the program's scope goals people federal agencies to provide for the mandatory periodic Appendix 1U and of Unfortunately college and graduate security courses are not widely available In addition the courses may only address general security 98 This section is based on material prepared by the Department of Energy's Office of Information Management for its unclassified security program 99 This approach approach to is presented to familiarize the reader with some of the important implementation implementing an awareness and training program 148 issues It is not the only 13 particular systems a large organizationwide specific Awareness Training and Education program may need to be supplemented by more programs In addition the organization should specifically address whether the program applies to employees only or also to other users of organizational systems Generally the overall goal of a CSAT program is to sustain an appropriate level of protection for computer resources by increasing employee awareness of their computer security responsibilities and the ways to fulfill them More specific goals may need to be established Objectives should be defined to meet the organization's specific goals 13 6 2 Identify Training Staff There are many possible candidates for conducting the training including internal training departments computer security staff or contract services Regardless of who is chosen it is important that trainers have sufficient knowledge of computer security issues principles and techniques It is also vital that they 13 6 3 Identify Target Not everyone needs CSAT program that know how audiences e g CSAT by communicate information and ideas same degree or type of computer security information to do their jobs A distinguishes between groups of people presents only the information needed the irrelevant information will their function or familiarity For smaller organizations examples of ways to do have the best results Segmenting with the system can also improve the effectiveness program For larger organizations some individuals more than one group segmenting may not be needed The following methods are some will fit into this of awareness Individuals may be separated into groups according to of awareness This may require research to determine how well employees Segment according their current level effectively Audiences by the particular audience and omits of a to to level follow computer security procedures or understand Segment according to how computer general job task or function Individuals security fits into their jobs may be grouped as data providers data processors or data users Segment according categories will to specific job category Many organizations assign individuals to job Since each job category generally has different job responsibilities training for each be different Examples of job categories could be general management technology management applications development or security Segment according to level of computer knowledge Computer experts may be expected to find a program containing highly technical information more valuable than one covering the management issues in computer security Similarly a computer novice would benefit more from a training program that presents introductory fundamentals 149 Operational Controls Segment according of technology or systems used Security techniques used for each off-the-shelf product or application system will usually vary The users of major applications will to types normally require training specific to that application 13 6 4 Motivate To Management and Employees successfully implement an awareness and training program it is important to gain the support of management and employees Consideration should be given to using motivational techniques to show management and employees how their participation in the CSAT program will benefit the organization Management Motivating management normally relies upon increasing awareness Management needs to be aware of the losses that computer security can reduce and the role of training in computer security Management commitment is necessary because of the resources used in developing and implementing the program and also because the program affects their staff Employees Motivation of managers alone is not enough Employees often need to be Employees and managers should be convinced of the merits of computer security provide input to the and how it many employees will not comprehend the value of the system resources with which they work fully Some awareness actively participated in appropriate training 1 Without relates to their jobs solicited to CSAT program Individuals are more likelv to su PP rt a P TM when thev have its development techniques were discussed above Regardless of the techniques that are used employees should feel that their cooperation will have a beneficial impact on the organization's future and consequently their own 13 6 5 Administer the Program CSAT program There are several important considerations for administering the Visibility high The visibility visibility of a CSAT program plays a key care should be give not to promise what its success Efforts to achieve _-- _ h -- cannot be delivered The Fedend Mormation Svstems Security Educators' NIST Computer Security Program two means tfor tfederal a Managers Forum provide government computer security program managers and Training Methods The methods used in the 11 be consistent with the CSAT program should f TM o r role in should begin during the early stages of CSAT program development However Association and n fc material presented and tailored to the audience's needs Some training and awareness methods and techniques are training officers to share training ideas listed i and materials 150 13 above in the Awareness Training and Education Techniques sections Computer security awareness and training can be added to existing courses and presentations or taught separately On-the-job training should also be considered Training Topics There are more topics computer security than can be taught on the audience's requirements in course Topics should be selected based in any one Training Materials In general higher-quality training materials are more favorably received and more expensive Costs however can be minimized since training materials can often be obtained from other organizations The cost of modifying materials is normally less than developing training materials from scratch are Training Presentation Consideration should be given to the frequency of training or as needed the length of training presentations hour for updates or one week for an e g annually 20 minutes for general presentations one and the off-site class e g style of training presentation e g formal presentation informal discussion computer-based training humorous 13 6 6 Maintain the Program Computer technology changes in is an ever-changing field Efforts should be computer technology and security requirements organization's needs today application or changes its may become ineffective when made to keep abreast of A training program that meets an the organization starts to use a new environment such as by connecting to the Internet Likewise an awareness program can become obsolete if laws or organization policies change For example the awareness program should make employees aware of a new policy on e-mail usage Employees may discount the CSAT program and by association the importance of computer security if the program does not provide current information 13 6 7 Evaluate the It is Program often difficult to measure the effectiveness of an awareness or training program Nevertheless an evaluation should attempt to ascertain how much information is retained to what extent computer security procedures are being followed and general attitudes toward computer security The results of such an evaluation should help identify and correct problems evaluation methods which can be used in conjunction with one another are o Use student o Observe o Test employees on material covered evaluations how well employees follow 151 recommended security procedures Some Operational Controls o Monitor the number and kind of computer security incidents reported before and after the program is implemented 100 Interdependencies 13 7 Training can and in most cases should be used to support every control in the handbook All controls are more Policy Training effective is if a critical designers implementers and users are thoroughly trained means of informing employees of the contents of and reasons for the organization's policies Security Program Management Federal agencies need security awareness and training 1987 to ensure that appropriate provided as required under the is A security program should ensure that an organization is computer Computer Security Act of meeting all applicable laws and regulations Personnel User Issues Awareness personnel user issues Training is training and education are often included with other often required before access is granted to a computer system Cost Considerations 13 8 The major cost considerations in awareness training and education programs are o the cost of preparing and updating materials including the time of the preparer o the cost of those providing the instruction o employee time attending courses and lectures or watching videos and o the cost of outside courses and consultants both of which may including travel expenses including course maintenance References Alexander M ed Multimedia Means Greater Awareness Infosecurity News 4 6 1993 pp 90-94 100 know The number of incidents will not necessarily the proper procedures to avoid infection go down For example virus-related losses may decrease when users On the other hand reports of incidents scanners and find more viruses In addition users will now know the reports should be sent 152 may go up that virus incidents should as users employ be reported and to virus whom 13 Burns G M Issue 2 A Recipe for a Decentralized Security Awareness Training and Education Awareness Program ISSA Access Vol 3 2nd Quarter 1990 pp 12-54 Code of Federal Regulations 5 CFR Awareness Incident Handling August 1992 Flanders D Security Isaacson G Security Awareness - 930 Computer Security Training Regulation A 70% Making Solution Fourth It Workshop on Computer Work ISSA Access Security 3 4 1990 pp 22-24 National Aeronautics and Space Administration Guidelines for Development of Computer Security Awareness March and Training CSAT Programs Washington DC NASA Guide 2410 1 1990 Maconachy V Computer Security Education Training and Awareness Turning a Philosophical Orientation Into Practical Reality Proceedings of the 12th National Computer Security Conference National Institute of Standards and Technology and National Computer Security Center Washington DC October 1989 Maconachy V Panel Federal Information Systems Security Educators' Association FISSEA Proceeding of the 15th National Computer Security Conference National Institute of Standards and Technology and National Computer Security Center Baltimore MD October 1992 Your Training Needs Proceedings of the 13th National Computer Conference National Institute of Standards and Technology and National Computer Center Washington DC October 1990 Suchinsky A Determining Security Security Todd M A and Guitian C Computer Security Training Guidelines Special Publication 500172 Gaithersburg MD National Institute of Standards and Technology November 1989 U S Department of Energy Computer Security Awareness and Training Guideline Vol 1 Washington DC DOE MA-0320 February 1988 Wells R O Security Awareness for the Non-Believers ISSA Access Vol 3 Issue 2 2nd Quarter 1990 pp 10-61 153 Chapter 14 SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS Computer support and operations refers to everything done to run a computer system System management and administration This includes both system administration and generally perform support and operations tasks tasks external to the system that support although sometimes users do Larger systems operation It e g its staff may have full-time operators system programmers and maintaining documentation support staff performing these tasks Smaller systems does not include system planning or design may have a part-time administrator The support and operation of any computer system from a three-person local area network to a worldwide application serving thousands of users is critical to maintaining the security of a system Support and operations are routine activities that enable computer systems to function correctly These include fixing software or hardware problems loading and maintaining software and helping users resolve problems The failure to consider security as many organizations their Achilles part of the support and operations of heel Computer examples of how organizations undermined computer systems security system literature includes their often is for many expensive security measures because of poor documentation old user accounts conflicting software or poor control of maintenance accounts Also an organization's policies and procedures often fail to address many of these important issues The important security considerations within some of the major categories of support and operations are user support software support The primary goal of computer support and operations configuration management is backups system the continued and correct operation of a computer One availability media controls of the goals of computer security and integrity of systems very closely linked documentation and maintenance 155 is the These goals are Operational Controls Some special considerations are noted for larger or smaller systems 101 This chapter addresses the support and operations activities directly related to security Every control discussed in this handbook relies in one way or another on computer system support and operations This chapter however focuses on areas not covered in other chapters For example operations personnel normally create user accounts on the system This topic Identification and Authentication chapter so it is is covered in the not discussed here Similarly the input from support and operations staff to the security awareness and training program is covered in the Security Awareness Training and Education chapter User Support 14 1 In many organizations user support takes place through a Help Desk Help Desks can support an entire organization a subunit a specific system or a combination of these For smaller systems the system administrator normally provides direct user support Experienced users provide informal user support on most systems An important security consideration for user support personnel is being able to recognize which problems brought to users are security-related users' inability to log may result their attention User support should be closely linked by cases the same For example ' onto a computer system to the organization's incident handling capability In person 1 perform many these functions Hiii HH BaHmiHi from the disabling of their accounts due to too many failed access attempts This could indicate the presence of hackers trying to guess users' passwords In general system support and operations staff need to be able to identify security problems respond appropriately and inform appropriate individuals problems Some exist will A wide range of possible security be internal to custom applications while others apply to off-the-shelf products Additionally problems can be software- or hardware-based The more responsive and knowledgeable system support and operation are the less user informally The support other important but they whole 101 staff personnel Small systems are especially susceptible to viruses while networks are particularly susceptible to hacker support will be provided mayJ users provide wnich can be tQd multiple systems pe sonneI should be recognize W f attacks is at Syste not be aware of the attacks and t0 know how to respond picture In general larger systems include mainframes large minicomputers and LANs 156 and WANs Smaller systems include PCs Software Support 14 2 Software is of the system Therefore is computer operations whatever the the heart of an organization's corruption There are One Computer Support and Operations Security Considerations in 14 it is controlling what software is software interactions and to software that of controlling software compatibility with is support used on a system execute any software on a system the system is may If users or more vulnerable systems personnel can load and to viruses to unexpected One method subvert or bypass security controls to inspect or test software before custom applications or and complexity and be protected from essential that software function correctly many elements of software size it is loaded e g to determine identify other unforeseen interactions This can apply new software packages to upgrades to off-the-shelf products or to custom software as deemed appropriate In addition to controlling the loading and execution of new software to organizations should also give care to the configuration and use of powerful system System utilities can compromise the integrity of operating systems and logical access controls A second element software support can be in to ensure that software has not been modified Viruses take advantage of the the protection of software and weak software controls in personal computers Also there are powerful without proper authorization This involves utilities backup copies files This can be done with a combination of logical utilities available for PCs find hidden files that can restore deleted hardware bypassing the operating system and physical access controls PC and interface directly with Some organizations use personal computers without floppy drives in order to have better control over the system Many organizations also include a ensure that software is program to There are several widely available properly licensed as required For example an organization for security may problems in utilities that look both networks and the systems attached to them Some utilities look for and audit systems for illegal copies of copyrighted try to exploit security vulnerabilities This type software This problem software with PCs and LANs is primarily associated is of further discussed in Chapter 9 but can apply to any type of system 14 3 Configuration Management Closely related to software support of changes to the system and if is configuration management - needed approving them 102 Configuration management normally addresses hardware software networking and other changes primary security goal of configuration management unintentionally or 102 unknowingly diminish security is the process of keeping track it can be formal or informal The ensuring that changes to the system do not Some of the methods discussed under software This chapter only addresses configuration management during the operational phase Configuration management can have extremely important security consequences during the development phase of a system 157 Operational Controls support such as inspecting and testing software changes can be used Chapter 9 discusses other methods Note that the security goal is to know what changes occur not to prevent security from may be being changed There when security will be reduced For networked systems configuration management should include external connections circumstances system connected However the to decrease in security decision based on A second should be the result of a all Is the To what other systems computer In turn what systems are these systems and organizations connected appropriate factors security goal of configuration management is ensuring that changes to the system are reflected in other documentation such as the contingency plan If the security of the system This 14 4 change is is major discussed in it may be Chapter necessary to reanalyze some or all of the 8 Backups Support and operations personnel and sometimes users back up software and data This function is critical Users of smaller systems are often responsible for their to contingency planning Frequency of backups will depend upon how often data changes and how important those changes are Program managers should be consulted to determine what backup schedule is appropriate Also a safety measure it is own backups However in reality they do not always perform backups regularly Some organizations therefore task support personnel with making backups periodically for smaller systems either automatically through server software or manually by visiting each machine as useful to test that backup copies are actually usable Finally backups should be stored securely as appropriate discussed below 14 5 Media Controls Media controls include a variety of measures to provide physical and environmental protection and accountability for tapes diskettes printouts and other media From a security perspective media controls should be designed to prevent the information including data or software of information before it is when loss of confidentiality integrity or availability of stored outside the system This can include storage input to the system and after The extent of media control depends upon many it is output factors including the type of data the quantity of media and the nature of the user environment Physical and environmental protection to prevent unauthorized individuals from accessing the media factors as heat cold or harmful magnetic fields When 158 It is used also protects against such necessary logging the use of individual 14 media e g Computer Support and Operations Security Considerations in - a tape cartridge provides detailed accountability to hold authorized people responsible for their actions Marking 14 5 1 Controlling media may require media with special handling serial control labels some form of physical instructions to locate numbers or bar codes is instructions labels can be used to identify needed information or to log media to support accountability on diskettes or tapes or banner pages on If labeling The labeling Identification is e g printouts used for special handling it is critical appropriately trained input and output is that people be Typical markings for media could include Privacy Act Information Company Proprietary or Joe's The marking of PC Backup Tape generally the responsibility of the user not the system support the In each case the individuals handling media must know the applicable handling staff instructions For example at the Acme Patent Marking backup diskettes can help prevent Research Firm proprietary information them from being the building except under die care of a security accidentally overwritten officer 14 5 2 with often by colored Also Joe's may not leave Backup Tape should be easy to find in case something happens to Joe's system Logging The logging of media is used to support accountability Logs can include control numbers or other tracking data the times and dates of transfers names and signatures of individuals involved and other relevant information Periodic spot checks or audits that all are in the systems may be may be conducted to determine that custody of individuals named no controlled items have been in control logs helpful for maintaining inventories of tape lost and Automated media tracking and disk libraries 14 5 3 Integrity Verification When electronically stored information determine whether it is read into a computer system it may be necessary to has been read correctly or subject to any modification The integrity of electronic information can be verified using error detection and correction or if intentional modifications are a threat cryptographic-based technologies See Chapter 19 14 5 4 Physical Access Protection Media can be which can If the media stolen destroyed replaced with a look-alike copy or lost limit these problems include locked doors desks media requires protection in a secure location purpose printer in a at all times e g printing to common it may be file 159 cabinets or safes necessary to actually output data to the a printer in a locked area Physical access controls room instead of to a general- Operational Controls They generally same information Physical protection of media should be extended to backup copies stored offsite should be accorded an equivalent level of protection to media containing the stored onsite Equivalent protection does not The the same the regular 14 5 5 mean that the security measures need to be exactly controls at the off-site location are quite likely to be different site Physical access is from the controls at discussed in Chapter 15 Environmental Protection Magnetic media such as diskettes or magnetic tape require environmental protection since they are sensitive to temperature liquids magnetism smoke and dust Other media e g paper and optical storage may have different sensitivities to environmental factors 14 5 6 Transmittal Media control may be transferred both within the organization and to outside elements Possibilities for securing such transmittal include sealed and marked envelopes authorized messenger or courier or U S certified or registered mail 14 5 7 Disposition Many people throw away old diskettes When media is disposed of it erasing the files on the diskette has may be important to ensure that information is not simply removes the pointer to that file tells that is external to a computer system disk where the file is files will directory listing This does not removed The Commonly available often retrieve information that process of removing information from media is the computer Without this pointer the such as a diskette and to media inside a computer system such as a hard the data unretrievable In reality however erasing a file improperly disclosed This applies both to media believing that made The pointer physically stored not appear on a mean that the file was programs can presumed deleted utility is called sanitization Three techniques are commonly used for media destruction name Overwriting is implies overwriting uses a Common practice is and program to write Is Os or a combination onto the media media three times Overwriting should not be confused with to overwrite the merely deleting the pointer to a file which typically happens when a delete Overwriting requires that the media be erase data from magnetic media electric degaussers sanitization overwriting degaussing an effective method for clearing data from magnetic media As the The final Two in working order Degaussing is command is used a method to magnetically types of degausser exist strong permanent magnets and method of sanitization burning 160 is destruction of the media by shredding or Security Considerations in 14 Computer Support and Operations Documentation 14 6 Documentation of all aspects of computer support and operations is important to ensure continuity and consistency Formalizing operational practices and procedures with sufficient detail helps to eliminate security lapses and provides a quality assurance function to help ensure instructions performed correctly and The and oversights gives new personnel sufficiently detailed that operations will be efficiently security of a system also needs to be documented This includes many types of documentation such as security plans contingency plans risk analyses and security policies and Much procedures of this information particularly risk and threat analyses has to be protected against unauthorized disclosure Security documentation also needs to be both current and Accessibility should take special factors into account such as the need to find the accessible contingency plan during a disaster Security documentation should be designed to who use it For this reason many fulfill the needs of the different types of people organizations separate documentation into policy and A security procedures manual should be written to inform various system users how their jobs securely A security procedures manual for systems operations and support staff procedures to do may address a wide variety of technical and operational concerns in considerable detail Maintenance 14 7 System maintenance requires either physical or logical access to the system Support and staff hardware or software vendors or third-party service providers may maintain a system Maintenance may be performed on site or it may be necessary to move equipment to a repair site Maintenance may also be performed remotely via communications connections If someone who does not normally have access to the system performs maintenance then a security operations vulnerability In is introduced some circumstances it may be necessary to take additional precautions such as conducting background investigations of service personnel Supervision of maintenance personnel may prevent some problems such has access to the system it is as snooping around the physical area very difficult for supervision to prevent However once someone damage done through the maintenance process Many computer systems provide maintenance accounts These special log-in accounts are One normally preconfigured break into systems pre-set widely critical to at the factory with known passwords that stUI It is change these passwords or of the most n is hackers use to through maintenance accounts have ctory- or easily guessed passwords iiiiiiiiiiiiwiinii 161 common methods wwiiiiii mmhmwi i wii m mi Operational Controls otherwise disable the accounts until they are needed Procedures should be developed to ensure that only authorized maintenance personnel can use these accounts If the account is to be used remotely authentication of the maintenance provider can be performed using call-back confirmation This helps ensure that remote diagnostic activities actually originate from an established phone number at the vendor's Other techniques can also help including site encryption and decryption of diagnostic communications strong identification and authentication techniques such as tokens and remote disconnect verification may have diagnostic ports In addition manufacturers of larger systems and providers may offer more diagnostic and support services It is critical to ensure that Larger systems third-party these ports are only used by authorized personnel and cannot be accessed by hackers Interdependencies 14 8 There are support and operations components Personnel Most support and operations in most of the controls discussed in this have special access to the system staff organizations conduct background checks on individuals filling handbook Some these positions to screen out possibly untrustworthy individuals Incident Handling Support and operations Even if may include an organization's incident handling they are separate organizations they need to work together to recognize staff and respond to incidents Contingency Planning Support and operations normally provides technical input to contingency planning and carries out the activities of making backups updating documentation and practicing responding to contingencies Security Awareness Training and Education Support and operations security procedures and should be staff should be trained in aware of the importance of security In addition they provide technical expertise needed to teach users how to secure their systems Physical and Environmental Support and operations staff often control the immediate physical area around the computer system Technical Controls The technical controls are operations staff They installed maintained and used by support and create the user accounts add users to access control lists review audit logs for unusual activity control bulk encryption over telecommunications links and perform the countless operational tasks needed to use technical controls effectively In addition support and operations staff provide needed input to the selection of controls based on their knowledge of system capabilities and operational constraints 162 14 Security Considerations in Computer Support and Operations Assurance Support and operations staff ensure that changes to a system do not introduce by using assurance methods to evaluate or security vulnerabilities on the system Operational assurance is changes and their effect test the normally performed by support and operations staff Cost Considerations 14 9 The cost of ensuring adequate security in day-to-day support and operations is largely dependent upon the size and characteristics of the operating environment and the nature of the processing being performed If sufficient support personnel are already available trained in the security aspects of their assigned jobs it is it is important that they be usually not necessary to hire additional support and operations security specialists Training both initial and ongoing is a cost of successfully incorporating security measures into support and operations activities Another cost is that associated with creating concerns are appropriately reflected in and updating documentation to ensure that security support and operations policies procedures and duties References Bicknell Paul Data Security for Personal Computers Proceedings of the 15th National Computer Security Conference Vol I National Institute of Standards and Technology and National Computer Security Center Baltimore October 1992 Dennis Longley and Michael Shain Information Security Handbook Caelli William NY Stockton MD New York Press 1991 A Local Area Network Security Architecture Proceedings of the 15th National Computer Security Conference Vol I National Institute of Standards and Technology and National Computer Security Center Baltimore MD 1992 Carnahan Lisa Carroll J M J Managing A Computer-Aided Strategy Risk Boston Chapman D Brent Network In Security Through IP Packet USENIX UNIX Security Symposium 1992 Curry David A UNIX System MA Addison-Wesley Security A MA Butterworths 1984 Filtering Proceedings of the 3rd Guide for Users and System Administrators Reading Publishing Co Inc 1992 Garfinkel Simson and Gene Spafford Practical UNIX Security Sebastopol CA O'Reilly Associates 1991 Holbrook Paul and Joyce Reynolds eds Site Security Handbook Available by anonymous 163 ftp Operational Controls from nic ddn mil in rfc directory Internet Security for System Security Seminars CERT Network Administrators Computer Emergency Response Team Coordination Center 1993 Murray W H Security Considerations for Personal Computers Tutorial Computer and Network Parker Security Oakland Donna B CA IEEE Computer Society Managers Guide to Press 1986 Computer Security Reston VA Reston Publishing Inc 1981 Pfleeger Charles P Security in Computing Englewood 164 Cliffs NJ Prentice-Hall Inc 1989 Chapter 15 PHYSICAL AND ENVIRONMENTAL SECURITY The term physical and environmental security as used in this chapter refers to Physical and envkonmentaljsecurity controls are measures taken to protect systems buildings implemented and related supporting infrastructure against resources the system resources themselves and the iL o facilities threats associated with their physical environment 103 to protect the facility housing used to support r system their operation r mmmmammmmmmmmmmmmtmmmmmmmmmmmmm Physical and environmental security controls include the following three broad areas 1 The physical facility is usually the building other structure or vehicle housing the system and network components Systems can be characterized based upon location as static mobile or portable locations Mobile systems are their operating Static systems are installed in structures at fixed installed in vehicles that perform the function of a structure but not at a fixed location Portable systems are not installed in fixed operating locations They may be operated in wide variety of locations including buildings or vehicles or in the open The physical characteristics of these structures and vehicles determine the level of such physical threats as 2 The facility's fire roof leaks or unauthorized access general geographic operating location determines the characteristics of natural threats which include earthquakes and flooding civil disorders 3 threats such as burglary or interception of transmissions and emanations and damaging nearby activities including toxic from man-made chemical spills explosions fires and electromagnetic interference emitters such as radars Supporting facilities are those services both technical and human that underpin the operation of the system The system's operation usually depends on supporting as electric power heating and air conditioning and telecommunications substandard performance of these facilities may interrupt operation of the The facilities such failure or system and may cause physical damage to system hardware or stored data This chapter first discusses the benefits of physical security measures and then presents an overview of common physical and environmental security controls Physical and environmental security measures result in many benefits the protection of computer systems 103 such as protecting employees This chapter focuses on from the following This chapter draws upon work by Robert V Jacobson International Security Technology Tennessee Valley Authority 165 Inc funded by the Operational Controls Interruptions in Providing Computer Services An external threat may interrupt the scheduled operation of a system The magnitude of the losses depends on the duration and timing of the service interruption and the characteristics of the operations end users perform Physical Damage or replaced Data media e g hardware is damaged or destroyed it usually has to be repaired destroyed as an act of sabotage by a physical attack on data storage rendering the data unreadable or only partly readable If data stored by a system for operational use from the If a system's may be is destroyed or corrupted the data needs to be restored from back-up copies or original sources before the damage depends on arising from service system can be used The magnitude of loss from physical the cost to repair or replace the damaged hardware and data as well as costs interruptions Unauthorized Disclosure of Information The physical characteristics of the facility housing a system may permit an intruder to gain access both to media external to system hardware such as diskettes tapes and printouts and to media within system components such as fixed transmission lines or display screens All may result in loss disks of disclosure-sensitive information Loss of Control over System Integrity If an intruder gains access to the central processing unit is usually possible to reboot the system and bypass logical access controls This can lead to it information disclosure fraud replacement of system and application software introduction of a Trojan horse and more Moreover what has been modified lost if such access is gained it may be very difficult to determine or corrupted System hardware may be stolen The magnitude of the loss is determined by the replace the stolen hardware and restore data stored on stolen media Theft may also Physical Theft costs to result in service interruptions This chapter discusses seven major areas of physical and environmental security controls physical access controls fire safety supporting utilities structural collapse plumbing leaks interception of data and mobile and portable systems 166 75 Physical and Environmental Security Physical Access Controls 15 1 Physical access controls restrict the entry and exit of personnel and often equipment and Life Safety media from an area such as an office building suite data center or containing a It is room important to understand that the objectives of physical access controls LAN server may be in conflict with those of life safety Simply stated life on safety focuses providing easy exit from a facility particularly in an The controls over physical access to the emergency while physical security strives entry In general life safety elements of a system can include controlled areas barriers that isolate consideration but each area entry effective balance points in the barriers and screening measures at each of the entry points In addition members who work in a restricted an important role providing physical security as they in staff For example area serve it is to control must be given first usually possible to achieve an between the two goals it is often possible to equip exit doors with a time delay When one emergency pushes on the panic bar a loud alarm sounds and the door released after a brief delay can be trained to challenge The expectation is is that people will be deterred from using such exits people they do not recognize improperly but will not be significantly endangered during an emergency evacuation Physical access controls should address not only the area containing system hardware but also locations of wiring used to connect elements of the system the electric power service the telephone and data lines system's operation This must be It is air conditioning and heating plant backup media and source documents and any other elements required means that all the areas in the building s that contain system elements identified also important to review the effectiveness of physical access controls in each area both There are many types of physical access controls including badges during normal business hours and at other times - particularly when an area may be e g guards keys true- and locks unoccupied Effectiveness depends on both the characteristics of the control devices used memory cards floor-to-true-ceiling wall construction fences m a m keycard-controlled doors and the implementation and operation Statements to the effect that only authorized persons this area are not particularly effective easily defeat the controls the extent to may enter Organizations should determine whether intruders can which strangers are challenged and the effectiveness of other control procedures Factors like these modify the effectiveness of physical controls The feasibility of surreptitious entry also needs to be considered For example to go over the top of a in a plasterboard partition in a location hidden by furniture If a door partition that stops at the underside of a 167 it may be possible suspended ceiling or to cut a hole is controlled by a Operational Controls combination lock it may be possible to observe an authorized person entering the lock combination If keycards are not carefully controlled an intruder may be able to steal a card left on a desk or use a card passed back by an accomplice Corrective actions can address any of the factors listed above Adding an additional barrier reduces the risk to the areas behind the barrier Enhancing the screening the at an entry point can reduce number of penetrations For example a guard may Types of Building Construction provide a higher level of screening than a keycard-controlled door or an anti-passback feature can be added Reorganizing flow and people work areas who need work number of traffic patterns may reduce the access to a restricted area Physical There are four basic kinds of building construction a light frame b and d heavy timber fire resistant Note c incombustible that the term fireproof is not used because no structure can resist a fire Most houses are light frame and cannot more than about thirty minutes in a fire Heavy timber means that the basic structural elements indefinitely modifications to barriers can reduce the vulnerability to surreptitious entry Intrusion detectors such as closed-circuit television cameras motion detectors and other devices can detect intruders in unoccupied survive have a minimum thickness of four inches When such structures burn the char that forms tends to insulate and the structure may more depending on the details Incombustible means that the structure members will not burn This almost always means that the members are steel Note however that steel loses it strength at high temperatures at which point the structure collapses Fire resistant means that the structural members are incombustible and are the interior of the timber spaces survive for an hour or Fire Safety Factors 15 2 Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data the risk to insulated Typically the insulation human that encases steel life and the pervasiveness of the damage Smoke corrosive localized fire can gases and high humidity from a damage systems throughout an is members or sprayed onto the members is is either concrete a mineral wool that Of course the heavier the insulation the longer the structure will resist a fire entire building Consequently evaluate the safety of buildings that house fire it is important to Note that a building constructed of reinforced systems Following are important factors in concrete can determining the risks from sufficient fuel present fire still be destroyed in a fire if there is and fire fighting is ineffective The prolonged heat of a fire can cause differential expansion of the concrete which causes spatting Ignition Sources supplies Fires begin because something enough heat to cause other materials to burn Portions of the concrete split reinforcing and the off exposing the interior of the concrete is subject Typical ignition sources are failures of electric devices to additional spalling and wiring carelessly discarded cigarettes improper slabs expand outward they deform supporting Furthermore as heated floor columns Thus a reinforced concrete parking garage storage of materials subject to spontaneous with open exterior walls and a relatively low combustion improper operation of heating devices and of course arson has a low If a fire is to fire load but a similar archival record storage facility with closed exterior walls and a high fire Fuel Sources fire risk grow it must have a 168 load has a higher risk even though the basic building material is incombustible 15 supply of fuel material that will burn to support Once a fire becomes established to as the fire load to support it its and Environmental Security growth and an adequate supply of oxygen depends on the combustible materials The more further growth its Physical in the building referred more fuel per square meter the intense the fire will be maintained and operated so as to minimize the If a building is well Building Operation accumulation of fuel such as maintaining the integrity of fire barriers the fire risk will be miiiimized Some Building Occupancy occupancies are inherently more dangerous than others because of an above-average number of potential ignition sources For example a chemical warehouse may contain an above-average fuel load The more quickly Fire Detection it a fire is can be extinguished minimizing damage of the detected It is all other things being equal the more easily also important to accurately pinpoint the location fire A fire will burn until Fire Extinguishment it consumes all of the fuel in the building or until it is may be automatic as with an automatic sprinkler system or a may be performed by people using portable extinguishers cooling extinguished Fire extinguishment HALON discharge system or it the fire site with a stream of water by limiting the supply of oxygen with a blanket of foam or powder or by breaking the combustion chemical reaction chain When properly installed maintained and provided with an adequate supply of water Halons have been identified as harmful to the Earth's automatic sprinkler systems are highly protective ozone layer So under an international effective in protecting buildings contents 104 and agreement known as the Montreal Protocol their production of halons ended January Nonetheless one often hears iL xt i i l ptembet 1 1994 In m2 the General Services uninformed persons speak of the water Administration issued a moratorium on halon use by damage done by federal agencies sprinkler systems as a disadvantage Fires that trigger sprinkler systems cause the water damage sprinkler systems reduce fire damage 104 to the building As discussed itself in this section 105 m m m In short damage protect the lives of building occupants and All these factors contribute to many more rapid recovery of systems variables affect fire safety and should be taken into account in selecting a fire extinguishment system While automatic sprinklers can be very effective selection of a fire particular building should take into account the particular fire risk factors Other factors extinguishment system for a may include rate changes from either a fire insurance carrier or a business interruption insurance carrier Professional advice 105 limit the fire Occurrences of accidental discharge are extremely rare and in a fire only the sprinkler area of the fire open and discharge water 169 is required heads in the immediate Operational Controls following a fire Each of these factors is important when estimating the occurrence rate of fires and the amount of damage that will result The objective of a fire-safety program is to optimize these factors to rninimize the risk of fire Failure of Supporting Utilities 15 3 Systems and the people who operate them need to have a reasonably well-controlled operating environment Consequently failures of heating and air-conditioning systems will usually cause a utilities are composed of many elements For example the typical air-conditioning system consists of 1 air handlers that cool and humidify service interruption and may damage hardware These each of which must function properly room heat 2 circulating air from the water and pumps send chilled water to the that 4 cooling air handlers 3 chillers that extract towers that discharge the heat to the outside these elements has a mean-time-bet ween-failures MTBF and MTBF and MTTR values for each of the elements of a system Using the air a mean-time-to-repair Each of MTTR one can estimate the occurrence rate of system failures and the range of resulting service interruptions This same and other of each line of reasoning applies to electric power distribution heating plants water sewage utilities utility and estimating the MTBF and MTTR developed to calculate the resulting units with lower 15 4 The risk of And identifying the failure utility failure the outages resulting strategies can be evaluated can be reduced by substituting spare parts on from a given site by comparing the reduction and MTBF can be reduced by in risk in time with the cost to it Structural Collapse A building may be subjected to a load greater than it can support Most commonly of an earthquake a snow load on the roof beyond design criteria cuts structural members or a members Even fire that completely demolished the authorities entry to modes necessary failure threat parameters can be redundant units under the assumption that failures are distributed randomly Each of these achieve risk MTBF values MTTR can be reduced by stocking training maintenance personnel installing By required for system operation or staff comfort remove materials weakens may structural decide to ban its this is a result an explosion that displaces or further use if the structure is not sometimes even banning This threat applies primarily to high-rise buildings and those with large interior spaces without supporting columns 170 15 Physical and Environmental Security Plumbing Leaks 15 5 While plumbing leaks do not occur every day they can be seriously disruptive The building's plumbing drawings can help locate plumbing lines include hot lines that might endanger system hardware These and cold water chilled water supply and return sprinkler lines fire lines steam lines automatic hose standpipes and drains If a building includes a laboratory or manufacturing spaces there may be other lines that conduct water corrosive or toxic chemicals or gases As a rule analysis often shows that the cost to relocate threatening lines is difficult to justify However the location of shutoff valves and procedures that should be followed in the event of a failure must be specified Operating and security personnel should have this information immediately available for use in an emergency In some cases it may be possible to relocate LAN hardware system hardware particularly distributed Interception of Data 15 6 Depending on the type of data a system processes there may be a significant risk if the data is intercepted There are three routes of data interception direct observation interception of data transmission and electromagnetic interception Direct Observation System terminal and workstation display screens unauthorized persons In most cases it is may be observed by relatively easy to relocate the display to eliminate the exposure Interception of Data Transmissions it may be feasible to tap into the lines If an interceptor can gain access to data transmission and read the data being transmitted Network monitoring tools can be used to capture data packets transmitted and so period of time there messages 106 lines Of course the interceptor cannot control what is may not be able to immediately observe data of interest However over a may be a serious level of disclosure Local area networks typically broadcast Consequently all traffic including passwords could be retrieved Interceptors could also transmit spurious data on tapped lines either for purposes of disruption or for fraud Electromagnetic Interception Systems routinely radiate electromagnetic energy that can be detected with special-purpose radio receivers Successful interception will depend on the signal strength at the receiver location the greater the separation between the system and the receiver the lower the success rate TEMPEST shielding of either equipment or rooms can be used to minimize the spread of electromagnetic signals The signal-to-noise ratio 106 An traffic insider may be at the receiver able to easily collect data by configuring their ethernet network interface to receive rather than just network traffic intended for this node This 171 is called the promiscuous mode all network Operational Controls by the number of competing emitters will also affect the success rate The more workstations of the same type in the same location performing random activity the more difficult it is to intercept a given workstation's radiation On the other hand the trend toward determined wireless in part i e deliberate radiation LAN connections may increase the likelihood of successful interception Mobile and Portable Systems 15 7 The or analysis is and management of risk usually has to be modified portable such as a laptop computer and vehicle including accidents theft as The system in if a system is installed in a vehicle a vehicle will share the risks of the well as regional and local risks Portable and mobile systems share an increased risk of theft and physical damage Encryption of data In addition portable systems can be cost-effective precaution against disclosure of misplaced or users Secure storage of laptop computers often required If a when on stored media may also be a confidential information if a laptop unattended by careless left files its medium that application it can be removed from the In any case the issue of to be controlled should be addressed may be or they are not in use data on a to encrypt the data is lost is may be appropriate system when it is unattended or mobile or portable system uses particularly valuable or important data to either store computer how it custody of mobile and portable computers are Depending on the sensitivity of the system and its appropriate to require briefings of users and signed briefing acknowledgments See Chapter 10 for an example Approach 15 8 to Implementation Like other security measures physical and environmental security controls are selected because they are cost-beneficial This does not mean analysis for the selection of every control that a user must conduct a detailed cost-benefit There are four general ways to justify the selection of controls 1 They are required by law or regulation are examples of security measures required Fire exit doors with panic bars and exit lights by law or regulation Presumably the regulatory authority has considered the costs and benefits and has determined that interest to require the security to implement 2 The cost all is measure it is A lawfully conducted organization in the public has no option but required security measures insignificant but the benefit is material A good example of this is a facility with a key-locked low-traffic door to a restricted access The cost of keeping the door 172 75 locked is minimal but there measure has been security is a significant benefit identified Physical Once a no further analysis and Environmental significant benefit minimal cost required to justify is Security its implementation The security measure addresses a potentially 3 fatal security exposure but reasonable cost Backing up system software and data is has a an example of this justification For most systems the cost of making regular backup copies is modest compared to the would not be able to function if the stored failure would be material In such cases it would costs of operating the system the organization data were lost and the cost impact of the not be necessary to develop any further cost justification for the backup of software and data However depends on what constitutes a modest cost and this justification identify the optimum backup it does not schedule Broadly speaking a cost that does not require budgeting of additional funds would qualify The security measure 4 measure then its is significant is and estimated to be cost-beneficial If the cost of a potential security it cannot be justified by any of the first cost both implementation and ongoing operation and expected losses need to be analyzed to determine cost-beneficial means if it is expected loss that the reduction in its three reasons listed above benefit reduction in future cost-beneficial is In this context significantly greater than the cost of implementing the security measure Arriving at the fourth justification requires a detailed analysis Simple rules of apply power Consider for example the threat of electric failure thumb do not and the security measures that can protect against such an event The threat parameters rate of occurrence and range of outage durations depend on the location of the system the details of power utility the details of the internal activities in the building that interruption depends identical on power its connection to the local electric distribution system and the character of other use electric power The system's potential losses from service the details of the functions it performs Two systems that are otherwise can support functions that have quite different degrees of urgency Thus two systems may have the same electric power and vulnerability parameters yet entirely different failure threat loss potential parameters Furthermore a number of different security measures are available to address electric power failures These measures uninterruptible differ in both cost and performance For example the cost of an power supply UPS depends on the size of the electric load it can support the number of minutes it can support the load and the speed with which it assumes the load when the primary power source fails An on-site power generator could also be installed either in place of a UPS accepting the fact that a power failure will cause a brief service interruption or in order to provide long-term backup to a UPS system Design decisions include the magnitude of the load the generator will support the size of the on-site fuel supply and the details of the facilities to switch the load from the primary source or the UPS 173 to the on-site generator Operational Controls This example shows systems with a wide range of risks and a wide range of available security measures including of course no action each with its own cost factors and performance parameters Interdependencies 15 9 Physical and environmental security measures rely on and support the proper functioning of of the other areas discussed in this handbook Among many the most important are the following Logical Access Controls Physical security controls augment technical means for controlling access to information and processing access controls are in place if Even if the most advanced and best-implemented physical security measures are inadequate logical access controls may be circumvented by directly accessing the hardware and computer system may be rebooted using different software Contingency Planning logical storage media For example a A large portion of the contingency planning process involves the failure of physical and environmental controls Having sound controls therefore can help minimize losses from such contingencies and Authentication I A Many physical access control systems require that people be identified and authenticated Automated physical security access controls can use the same types of I A as other computer systems In addition it is possible to use the same tokens e g badges as those used for other computer-based I A Identification Physical and environmental controls are also closely linked to the activities of the local Other guard force fire house life safety office and medical office These organizations should be consulted for their expertise in planning controls for the systems environment Cost Considerations 15 10 Costs associated with physical security measures range greatly Useful generalizations about costs therefore are difficult trivial costly make Some measures such as keeping a door locked may be a expense Other features such as fire-detection and -suppression systems can be far more Cost considerations should include operation For example adding controlled-entry doors requires persons using the door to stop and unlock management and accounting and rekeying when keys be inconsequential but they should be objective is 174 Locks also require physical key are lost or stolen Often these effects will fully considered to select those that are cost-beneficial it As with other security measures the 15 Physical and Environmental Security References Alexander M ed Secure Your Computers and Lock Your Doors lnfosecurity News 4 6 1993 pp 80-85 Archer R Testing Following Strict Criteria Security Dealer 15 5 1993 pp 32-35 Breese H ed The Handbook of Property Conservation Norwood MA Factory Mutual Engineering Corp Chanaud R Keeping Conversations Confidential Security Management 37 3 1993 pp 43-48 Miehl F The Ins and Outs of Door Locks Security Management 37 2 1993 pp 48-53 National Bureau of Standards Guidelines for ADP Physical Security and Risk Management Federal Information Processing Standard Publication 31 June 1974 Peterson P lnfosecurity and Shrinking Media ISSA Access 5 2 1992 pp 19-22 Roenne G Devising a Strategy Keyed to Locks Security Management 38 4 1994 pp 55-56 Zimmerman J Using Smart Cards - A Smart Move pp 32-36 175 Security Management 36 1 1992 IV TECHNICAL CONTROLS 177 Chapter 16 IDENTIFICATION AND AUTHENTICATION For most systems identification and authentication I A is the first line of defense technical measure that prevents unauthorized people or unauthorized processes I A is a from entering a computer system I A is a critical building block of computer security since control and for establishing user accountability be able to identify and differentiate least privilege their duties which among 107 users the basis for it is most types of access Access control often requires that the system For example access control is often based on refers to the granting to users of only those accesses required to perform User accountability requires the linking of activities on a computer system to specific individuals and therefore requires the system to identify users Identification is the means by which a user A typical user identification could be JSMITH for provides a claimed identity to the system Authentication TM is the Jane Smith This information can be means of establishing the validity of this claim typical user authentication could password which This chapter discusses the basic means of identification known by system administrators and other system users kept secret This is A be Jane Smith's way system administrators can set up Jane's access and see her and authentication the current activity on the audit trail and system users can send her e-mail but no one can pretend to be Jane technology used to provide I A and some important implementation issues Computer systems recognize people based on the authentication data the systems receive Authentication presents several challenges collecting authentication data transmitting the data securely and knowing whether the person who was originally authenticated using the computer system For example a user on and another person may start using may walk away from is still the person a terminal while still logged it There are three means of authenticating a user's identity which can be used alone or in combination o something the individual knows a secret- Number 107 108 Not all e g a password Personal Identification PIN or cryptographic key types of access control require identification and authentication Computers also use authentication to verify that a message or file has not been altered and to verify that a message originated with a certain person This chapter only addresses user authentication addressed in the Chapter 19 179 The other forms of authentication are IV Technical Controls something the individual possesses a token - e g an ATM card or a smart card and something the individual a biometric is - e g such characteristics as a voice pattern handwriting dynamics or a fingerprint While it may appear that any of these means could provide strong authentication there are For most applications trade-offs will have to be made problems associated with each among wanted to pretend to If people be someone else on a t i computer system they can guess or learn individual's password they can also fabricate tokens drawbacks Each method for legitimate users security ease of use administration especially in and ease of modern networked environments that TM steal or also has and system administrators users forget passwords and may lose tokens and administrative overhead for keeping track of I A data and tokens can be substantial Biometric systems have significant technical user acceptance and cost problems as well I A technologies and their benefits and drawbacks as they relate to means of authentication Although some of the technologies make use of cryptography This section explains current the three because Chapter it can significantly strengthen authentication the explanations of cryptography appear in 19 rather than in this chapter I A Based on Something the User Knows 16 1 The most common form of I A is a user ID coupled with a password This technique is based solely on something the user knows There are other techniques besides conventional passwords that are based on knowledge such as knowledge of a cryptographic key 16 1 1 Passwords In general password systems work by requiring the user to enter a user ID and password or passphrase or personal identification number The system compares the password to a previously stored password for that user ID If there is a match the user is authenticated and granted access Benefits of Passwords Passwords have been successfully providing security for computer many operating systems and users and system with them When properly managed in a controlled environment they systems for a long time They are integrated into administrators are familiar can provide effective security Problems With Passwords The security of a password system is dependent upon keeping passwords secret Unfortunately there are many ways that the secret may be divulged All of the 180 16 Identification and Authentication problems discussed below can be significantly mitigated by improving password security as discussed in the sidebar However there is no except to use more advanced authentication 1 Guessing or finding passwords users select their own fix for the e g problem of electronic monitoring based on cryptographic techniques or tokens If passwords they Improving Password Security make them easy to remember That often makes them easy to guess The names of people's children pets or tend to favorite sports examples On teams are generate their more difficult to If users are not allowed to passwords they cannot pick easy- Some generators create only pronounceable nonwords to help users remember them However users tend to write down hard-to- remember passwords remember likely to write own to-guess passwords common the other hand assigned passwords may be so users are Password generators them Limits on log-in attempts down Many computer systems are Many operating systems can be configured to lock a user ID after a set number shipped with administrative accounts that of failed log-in attempts This helps to prevent have preset passwords Because these guessing of passwords passwords are standard they are easily Password guessed Although security practitioners have this problem been warning about for years many system be instructed or the 3 that are unrelated to their user ID or 4 to pick do not change default passwords Another method of learning passwords is to observe someone entering a password or PIN The observation can be done by someone in the same room or by someone some distance away using binoculars This is administrators attributes Users can system can force them to select passwords 1 with a certain minimum length 2 with special characters passwords which are not still in an on-line dictionary This makes passwords more difficult to guess but more likely to be written down Changing passwords Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into systems more difficult Too frequent changes however can be irritating to users often referred to as shoulder surfing Technical protection of the password 2 Giving passwords away Users share their passwords their share control and They may give password to a co-worker files may in the file Access one-way encryption can be used to protect password file itself order to Note Many of these techniques are discussed in FIPS 1 12 Password Usage and FIPS 181 Automated Password Generator In addition people can be tricked into divulging their passwords This process is referred to as social engineering When passwords computer system they can be electronically monitored This can happen on the network used to transmit the password or on the computer system itself Simple encryption of a password that will be used again 3 Electronic monitoring does not solve this are transmitted to a problem because encrypting the same password ciphertext the ciphertext becomes the password 181 will create the same Technical Controls IV 4 Accessing the password file controls the 109 encryption hackers if file If the password can be downloaded Password file is files not protected by strong access are often protected with one-way so that plain-text passwords are not available to system administrators or they successfully bypass access controls Even can be used to learn passwords and comparing them to the if the file is downloaded if the e g file is encrypted brute force by encrypting English words file Passwords Used as Access Control Some mainframe operating systems and many PC applications use passwords as a means of restricting access to specific resources within a system Instead of using mechanisms such as access control lists see Chapter 17 access is granted by entering a password The result is a proliferation of passwords that can reduce the overall security of a system While the use of passwords as a approach that is means of access control is common it is an often less than optimal and not cost-effective 16 1 2 Cryptographic Keys Although the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows it is necessary for the user to also possess or have access something that can perform the cryptographic computations such as a to For this reason the However it is protocols used are discussed in the or a smart card possible to implement these types of protocols without using a smart token Additional discussion is also provided under the Single Log-in section I A Based on Something the 16 2 PC Smart Tokens section of this chapter User Possesses Although some techniques are based solely on something the user possesses most of the techniques described in this section are combined with something the user knows This combination can provide significantly stronger security than either something the user knows or possesses alone 110 Objects that a user possesses for the purpose of I A are called tokens This section divides tokens into two categories 109 memory tokens and smart tokens One-way encryption algorithms only provide decrypted When passwords are entered for the encryption of data into the system they are The resulting ciphertext cannot one-way encrypted and the result is be compared with stored ciphertext See the Chapter 19 110 For the purpose of understanding how possession of a token in various systems is possession-based I A works identification or authentication 182 it is not necessary to distinguish whether the 16 Identification 16 2 1 Memory Tokens Memory tokens store but do not process information Special reader writer devices control the The most common type of memory token writing and reading of data to and from the tokens magnetic striped card e g as to and Authentication in which a on the back of credit computer systems is of magnetic material thin stripe is is a affixed to the surface of a card A common application of memory tokens for authentication cards ATM the automatic teller machine card This uses a combination of something the user possesses the card with something the user knows the PIN Some computer systems authentication technologies are based solely on possession of a token but they are less common Token-only systems are more likely to be used in other applications such as for physical access See Chapter 15 Memory Benefits of Memory Token Systems more security than passwords In addition tokens memory when used with PINs provide hacker or other would-be masquerader to pretend to be someone and a valid token the corresponding PIN This is much more else the difficult password and user ID combination especially since most user IDs are Another benefit of tokens for the employee to key is in a that they ID user can be used in significantly cards are inexpensive to produce For a hacker must have both than obtaining a valid common knowledge support of log generation without the need for each transaction or other logged event since the token required for physical entry and exit then people will be can be scanned repeatedly If the token forced to remove the token when they leave the computer This can help maintain authentication is Problems With Memory Token Systems Although sophisticated technical attacks are possible against memory token systems most of the problems associated with them relate to their cost administration token loss user dissatisfaction and the compromise of PINs Most of the techniques for increasing the security of memory token systems relate to the protection of PINs Many of the 1 techniques discussed in the sidebar on Improving Password Security apply to PINs Requires special reader The need for a special reader increases the cost of using memory tokens The readers used that reads the card with the card token is is and a processor valid If the for memory tokens must include both the physical unit that determines whether the card and or the PIN entered PIN or validated by a processor that is not physically located with the reader Attacks on memory-card systems have sometimes then the authentication data oeen is vulnerable to electronic monitoring although cryptography can be used to solve Token creative One group stole an ATM installed at a ocaJ maU The machine collected this valid account The forged cards were then used money from legitimate ATMs cards loss - numbers and corresponding PINs which the thieves used to forge problem 2 m machtae A lost token may prevent 183 to withdraw IV Technical Controls the user from being able to log in until a replacement is provided This can increase administrative overhead costs The lost token could be found by someone stolen or forged If the token is password problems can be used who wants also used with a to break into the system or could be PIN any of the methods described above to obtain the PIN Common in methods are finding the PIN taped to the card or observing the PIN being entered by the legitimate user In addition any information stored on the magnetic stripe that has not been encrypted can be read User Dissatisfaction In general users want computers 3 find it inconvenient to carry and present a token However their reduced 16 2 2 if Many users dissatisfaction may be to be easy to use they see the need for increased security Smart Tokens A smart token expands the functionality of a integrated circuits into the token itself memory token by When incorporating one or used for authentication a smart token example of authentication based on something a user possesses i e the token token typically requires a user also to provide something the user knows in more i e itself a is another A smart PIN or password order to unlock the smart token for use There are many different different types of smart tokens In general smart tokens can be divided three ways based on physical characteristics interface and protocols used These three divisions are not mutually exclusive Physical Characteristics Smart tokens can be divided into two groups smart cards and other types of tokens A smart card looks like a credit card but incorporates an embedded microprocessor Smart cards are defined by an International Standards Organization ISO standard Smart tokens that are not smart cards can look like calculators keys or other small portable objects Smart tokens have either a manual or an electronic interface Manual or human interface tokens have displays and or keypads to allow humans to communicate with the card Interface Smart tokens with electronic interfaces must be read by special reader writers Smart cards described above have an electronic interface Smart tokens that look like calculators usually have a manual interface Protocol There are many possible protocols a smart token can use for authentication In general they can be divided into three categories static password exchange dynamic password generators and challenge-response o Static tokens work similarly to memory tokens except that the users authenticate themselves 184 Identification 16 to the token o and Authentication and then the token authenticates the user to the computer A token that uses a dynamic password generator protocol creates a unique value for example an eight-digit number that changes periodically every minute e g has a manual interface the user simply reads the current value and then types computer system for authentication done automatically If the If the correct value is If the it token into the token has an electronic interface the transfer is permitted and the user is provided the log-in is granted access to the system o Tokens work by having the computer generate a of numbers The smart token then generates a response that use a challenge -response protocol challenge such as a random string based on the challenge This is sent back to the computer which authenticates the user based on the response The challenge-response protocol is based on cryptography Challenge- response tokens can use either electronic or manual interfaces There are other types of protocols some more sophisticated and some described above are the most less so The three types common Benefits of Smart Tokens Smart tokens offer great flexibility and can be used to solve many authentication problems The benefits of smart tokens vary depending security than memory the authentication 1 is cards on the type used In general they provide greater Smart tokens can solve the problem of electronic monitoring even if done across an open network by using one-time passwords One-time passwords Smart tokens that use either dynamic password generation or challenge-response protocols can create one-time passwords Electronic monitoring problem with one-time passwords because each time the user computer a different password is used A hacker could is is not a authenticated to the learn the one-time password through electronic monitoring but would be of no value Reduced risk offorgery Generally the memory on a smart token is not readable unless the PIN is entered In addition the tokens are more complex and therefore more difficult to 2 forge 3 Multi-application Smart tokens with electronic interfaces such as smart cards provide a way for users to access many computers using many networks with only one further discussed in the Single Log-in section of this chapter This is In addition a single smart card can be used for multiple functions such as physical access or as a debit card 185 log-in IV Technical Controls Problems with Smart Tokens memory Like tokens most of the problems associated with smart tokens relate to their cost the administration of the system and user dissatisfaction Smart tokens are generally less vulnerable compromise of PINs because authentication usually takes place on the card It is possible of course for someone to watch a PIN being entered and steal that card Smart tokens cost more than memory cards because they are more complex particularly challenge-response to the calculators 1 Need reader writers or intervention human Smart tokens can use either an electronic or a human interface electronic interface requires a reader which creates additional expense Human interfaces require more Electronic reader writers can take An as a slot in a human many forms such device Most PC or a separate external interfaces consist of a keypad and display HHHMnnRMHMHHHHiHn actions from the user This is especially true for challenge-response tokens with a manual which require the user to type the challenge into the smart token and the response interface into the computer This can increase user dissatisfaction 2 Substantial Administration Smart tokens like passwords and memory tokens require strong administration For tokens that use cryptography this includes key management See Chapter 19 I A Based on Something the 16 3 User Is Biometric authentication technologies use the unique characteristics or attributes of an individual to authenticate that person's identity These include physiological attributes such as fingerprints TM TM TM hand Biometric authentication generally operates in the geometry or retina patterns or behavioral attributes such as voice patterns following manner and handBefore any authentication attempts a user written signatures Biometric authentication is technologies based upon these attributes have by creating a reference profile or template based on the desired physical attribute The been developed for computer log-in resulting template applications user and stored for later use enrolled Biometric authentication is complex and expensive and user acceptance can be difficult However advances continue made to make reliable less costly the technology associated with the identity of the When attempting authentication technically attribute is to be is the user's biometric measured The previously stored reference profile of the biometric attribute is compared with the measured profile of the attribute taken from the user The result of the comparison is more then used to either accept or reject the user and more user-friendly 186 16 Identification and Authentication Biometric systems can provide an increased level of security for computer systems but the technology is still less mature than that of memory tokens or smart tokens Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the somewhat variable nature of physical attributes change depending on various conditions For example a person's speech pattern These may may change under stressful conditions or when suffering from a sore throat or cold Due to their relatively high cost biometric systems are typically used with other authentication means in environments requiring high security Implementing 16 4 Some of the I A Systems important implementation issues for I A systems include administration maintaining authentication and single log-in 16 4 1 Administration Administration of authentication data The distribute them a critical element for and maintaining a password For biometric systems and data Token file that tell the this includes creating all types of authentication systems significant I A systems this includes creating need to create passwords issuing systems involve the creation and computer how and storing to recognize valid tokens PINs profiles administrative tasks of creating and distributing authentication data and tokens can be a substantial users know Identification data has to be kept current If the distribution if of passwords or tokens they have been given to distribution In addition I A in by adding new users and deleting former not controlled system administrators will not is someone other than system ensure that authentication data of these issues are discussed the legitimate user is It is critical that the firmly linked with a given individual Some Chapter 10 under User Administration administrative tasks should address lost or stolen passwords or tokens is I A can be and store authentication data For passwords to users distribution of tokens PINs The is administrative overhead associated with It often necessary to monitor systems to look One method of looking for improperly used accounts is for the computer to inform users when logged on This allows users to check for stolen or shared accounts if they last someone else used their account Authentication data needs to be stored securely as discussed with regard to accessing availability The value of authentication data lies in the data's confidentiality integrity and If confidentiality is compromised someone may be able to use the information to masquerade as a legitimate user password files If system administrators can read the authentication 187 file they Technical Controls IV Many can masquerade as another user from the system administrators or the system can be disrupted users ' ' systems use encryption to hide the authentication data If integrity is ' If availability is compromised authentication data can be added compromised the system cannot authenticate and the users may not be able to work 16 4 2 Maintaining Authentication So far this chapter has discussed authentication only initial a legitimate user's account after log-in 2 Many computer It is also possible for systems handle this affect productivity and can make the computer to use problem by logging a user out or locking their display or session after a certain period of inactivity methods can someone However these less user-friendly 16 4 3 Single Log-in From an efficiency viewpoint desirable for users to authenticate themselves only once and it is then to be able to access a wide variety of applications and data available on local and remote systems even og-m 3 those systems require users to authenticate themselves This if If the access is within the same host computer then system such as an access control list multiple platforms then the issue is the use of a is known modern access control should allow for a single log-in If the access more complicated as discussed below as single is across There are three main techniques that can provide single log-in across multiple computers host-to-host authentication authentication servers and user-to-host authentication Host-to-Host Authentication Under a host-to-host authentication approach users authenticate themselves once to a host computer That computer then authenticates and vouches for the specific user itself to other computers Host-to-host authentication can be done by passing an identification a password or by a challenge-response mechanism or other one-time password scheme Under this trust approach necessary for the computers to recognize each other and to each other Authentication Servers special host ' it is computer When using authentication server the users authenticate themselves to a the authentication server This Masquerading by system administrators cannot be prevented improper actions by the system administrator can be detected 112 After a user signs on the computer treats all commands computer then authenticates the user entirely However controls can be set up so to that in audit records originating from the user's physical device such as a PC or terminal as being from that user 113 Single log-in is somewhat of a misnomer It is currently not feasible to have one sign-on for every computer system a user might wish to access The types of single log-in described apply mainly an organization or a consortium 188 to groups of systems e g within 16 Identification and Authentication other host computers the user wants to Under access for the this approach computers to it is necessary Kerberos and trust the authentication a separate computer although in environments this may be to increase the security some laHBBB way a cost-effective They both use cryptography to authenticate users to computers on The authentication server need not be server SPX are examples of network authentication server protocols i H MBBBBBaBHi of the server Authentication servers can be distributed geographically or logically as needed to reduce workload User-to-Host A user-to-host authentication approach requires the user to log-in to each host computer However a smart token such as a smart card can contain perform that service for the user To users it all authentication data and looks as though they were only authenticated once Interdependencies 16 5 There are many interdependencies among I A and other controls Several of them have been discussed in the chapter Logical Access Controls Access controls are needed to protect the authentication database I A is 17 often the basis for access controls Dial-back modems and firewalls discussed in Chapter can help prevent hackers from trying to log-in Audit I A is necessary if an audit log going to be used for individual accountability is Cryptography Cryptography provides two basic services to I A of authentication data and it it protects the confidentiality provides protocols for proving knowledge and or possession of a token without having to transmit data that could be replayed to gain access to a computer system Cost Considerations 16 6 In general secure passwords are the They are already least expensive authentication technique and generally the least embedded in many systems Memory smart tokens but have less functionality Smart tokens with a readers but are For I A more inconvenient to use significant interface do not require Biometrics tend to be the most expensive systems the cost of administration comes with tokens are less expensive than human is a password system does not mean overhead to administering the I A often underestimated Just because a system that using system 189 it is free For example there is IV Technical Controls References Alexander M ed Keeping the Bad Guys Off-Line Infosecurity News 4 6 1993 pp 54-65 American Bankers Association American National Standard for Financial Institution Sign-On Authentication for Wholesale Financial Transactions ANSI X9 26- 1990 Washington DC February 28 1990 CCITT Recommendation Developed X 509 The Directory in collaboration - Authentication Framework November 1988 and technically aligned with ISO 9594-8 Department of Defense Password Management Guideline CSC-STD-002-85 April Feldmeier David C and Philip R '89 Abstracts Kam UNIX Password Security - Ten Years 12 1985 Later Crypto Santa Barbara CA Crypto '89 Conference August 20-24 1989 Haykin Martha E and Robert B J Warnar Smart Card Technology Computer Access Control Special Publication 500-157 Gaithersburg New Methods for MD National Institute of Standards and Technology September 1988 Kay R Whatever Happened to Biometrics Infosecurity News 4 5 1993 pp 60-62 National Bureau of Standards Password Usage Federal Information Processing Standard Publication 112 May 30 1985 National Institute of Standards and Technology Automated Password Generator Federal Information Processing Standard Publication 181 October 1993 National Institute of Standards and Technology Guideline for the Use of Advanced Authentication Technology Alternatives Federal Information Processing Standard Publication 190 October 1994 Salamone S Internetwork Security Unsafe at Any Node Data Communications 22 12 1993 pp 61-68 Sherman R Biometric Futures Computers and Security 11 2 1992 pp 128-133 Smid Miles James Dray and Robert B J Warnar A Token-Based Access Control System for Computer Networks Proceedings of the 12th National Commuter Security Conference National Institute of Standards and Technology October 1989 190 16 Steiner J O C Neuman and J Schiller Kerberos Network Systems Proceedings Winter USENIX An Identification and Authentication Authentication Service for Open Dallas Texas February 1988 pp 191-202 Troy Eugene F Security for Dial- Up Lines Special Publication 500-137 Gaithersburg National Bureau of Standards May 1986 191 MD Chapter 17 LOGICAL ACCESS CONTROL On many multiuser systems requirements for using and prohibitions against the use of various computer resources 114 Logical access controls provide a technical means of controlling vary considerably Typically for example information must be accessible to all some users need to do their jobs it may it is utilize the make 115 some may be needed by several groups or departments and some should be accessed by only a few individuals While what information users can programs they can run and the modifications they can 1B lil 1 obvious that users must have access to the information they also be required to deny access to non-job-related information It may also be important to control the kind of access that is afforded e g the ability for the average user to execute but not change system programs These types of access restrictions enforce policy and help ensure that unauthorized actions are not taken Access is the ability to computer resource do something with a e g use view Access control is the change or The term access is often confused with authorization and authentication means by which explicitly enabled or restricted in the ability is some way usually through physical and Access is the ability to do something with a computer resource This usually refers to a technical ability system-based controls Computer-based e g read create access controls are called logical access modify or delete a file execute a program or use an external connection controls Logical access controls can prescribe not only case of a process specific or what Authorization e g in the to have access to a is is permitted These controls built into the operating system may Authentication may be utilities e g is granted directly or indirectly is proving degree that users are who to some reasonable they claim to be m mm m m mm mmm database management systems or communications systems or may be implemented through add-on Logical access controls may be implemented may be implemented external devices 114 he permission to use a computer by the application or system owner incorporated into applications programs or major is resource Permission system resource but also the type of access that be who in internally to the The term computer resources includes information e g modems communications lines security packages computer system being protected or as well as system resources such as programs subroutines and hardware 115 Users need not be actual human users They could include for example a program or another computer requesting use of a system resource 193 IV Technical Controls Logical access controls can help protect Controlling access o human users operating systems and other to system software from provided for user is normally thought of as applying e g will technical access be JSMITH to the file payroll dat but access can be provided to other computer unauthorized modification or systems Also access controls are often incorrectly manipulation and thereby help thought of as only applying to files However they ensure the system's integrity also protect other system resources such as the ability and to place availability an outgoing long-distance phone a system o that the integrity and availability of modem as call though well as perhaps the information can be sent over such a call Access controls can also apply to specific functions within an information by restricting the application and to specific fields of a file number of users and processes with access and o confidential information This chapter first from being disclosed discusses basic criteria that can be used to decide whether a particular user should be granted access to a particular system resource by those who to unauthorized individuals set policy usually system-specific policy then reviews the use of these criteria It commonly used technical mechanisms for implementing logical access control and issues related to administration of access controls Access Criteria 17 1 When determining what In deciding whether to permit someone to use resources a system resource logical access controls examine whether the user is the type of access requested inquiry is usually distinct whether the user is it is It all identification is may be administrators while the operating system controlling that if They some combination Many of the advantages and complexities involved in program might be directly accessible by still fewer determine a request for access will be granted are typically used in The program and displays the calendar however might be modifiable by only a very few system and authentication process criteria to have desirable for everyone in the organization to calendar of nonconfidential meetings usually addressed in an The system uses various will as the data displayed on an organization's daily from the question of authorized to use the which who have access to some information on the system such this that formats system at important to consider access and what kind of access they will be allowed authorized for Note that kind of technical access to allow to specific data programs devices and wmm ammma m mmm--mmimammmmm m mi implementing and managing access control are related to the different kinds of user accesses supported 17 1 1 Identity It is probably fair to say that the majority of access controls are based upon the identity of the user 194 17 either human or process which I A See Chapter 16 The is Logical Access Controls usuaDy obtained through identification and authentication identity is usually unique to support individual accountability but can be a group identification or can even be anonymous For example public information dissemination systems may serve a large group called researchers in which the individual researchers are not known 17 1 2 Roles Many systems already support a small number by the job assignment or function role of the user who i e or Operator For example an individual the editor who is logged on in the role of a System Administrator can is seeking access perform operations that would be denied to the same Examples of roles include data entry clerk purchase officer project leader programmer and technical of special-purpose roles such as System Administrator Access to information may also be controlled individual acting in the role of an ordinary user Recently the use of roles has been expanded beyond Access rights are system tasks to application-oriented grouped by role name and the use of activities For example a user in a company could have an Order resources is restricted to individuals Taking An authorized to assume the associated role may be authorized for more than one role but may be required to act in only single role at a time Changing roles may a Receivable require logging out and then in again or is An accounts command Note may be that role them to particular invoices security constraints A Shipping role To provide additional could be imposed so a single user would never be simultaneously authorized assigned a all to assume three roles Constraints of this kind are sometimes referred to as separation data entry clerk for example but the account still and issue be an Accounts which would receive payments and updating the inventory standard set of rights of a shipping department would and enter could then be responsible for shipping products and not the same as shared-use individual collect invoices In addition there could credit use of roles and would be able to particular items request shipment of items individual entering a role-changing role customer billing information check on availability of of duty constraints be tied to that individual's identity to allow for auditing See Chapter 18 The use of roles can be a very effective way of providing access control The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization 17 1 3 Location Access to particular system resources may also be based upon physical or logical location For example in a prison all users in areas to to read-only access physical access which prisoners are physically permitted may be limited Changing or deleting limited to areas to is The same authorized users e g significantly different logical access controls users can be restricted based organization may be which prisoners are denied prison guards depending upon upon network addresses e g would operate under their physical location permitted greater access than those from outside 195 Similarly users from sites within a given IV Technical Controls Time 17 1 4 common on access For example use of confidential personnel files may be allowed only during normal working hours - and maybe denied before 8 00 a m and after 6 00 p m and all day during weekends and holidays Time-of-day or day-of-week restrictions are limitations 17 1 5 Transaction Another approach to access control can be used by organizations handling transactions account inquiries Phone calls may first be answered by a computer that requests that callers key account number and perhaps a PIN in their e g Some routine transactions can then be made directly more complex ones may require human intervention In such cases the computer which already knows the account number can grant a clerk for example access to a particular account but for the duration of the transaction When completed the access authorization is terminated This means that users have no choice in which accounts they have access to and can reduce the potential for mischief It also eliminates employee browsing of accounts e g those of celebrities or their neighbors and can thereby heighten privacy 17 1 6 Service Constraints Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are preestablished by the resource owner manager For example a particular software package may only be licensed by the organization for five users at a Access would be denied for a sixth user even time the application Another type of service constraint thresholds For example an certain dollar limits or may if is the user were otherwise authorized to use based upon application content or numerical ATM machine may restrict transfers of money between accounts to maximum ATM withdrawals to $500 per day Access may also limit be selectively permitted based on the type of service requested For example users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers 17 1 7 Common Access Modes when access should occur it is also necessary to consider or access modes The concept of access modes is fundamental to access In addition to considering criteria for the types of access control Common access modes which can be used in both operating or application systems include the following 116 6 These access modes are described generically exact definitions and capabilities will vary implementation Readers are advised to consult their system and application documentation 196 from implementation to 17 Read as a Logical Access Controls access provides users with the capability to view information in a system resource such file some combination thereof but not to alter it such any way One must assume that information can be certain records certain fields or as delete from add copied and printed to if it or modify in can be read although perhaps only manually such as by using a print screen function and retyping the information into another file Write access allows users to add to modify or delete information in system resources files e g records programs Normally user have read access to anything they have write access to Execute privilege allows users to run programs Delete access allows users to erase system resources Note file that if users e g files records fields have write access but not delete access they could overwrite the with gibberish or otherwise inaccurate information and Other specialized access modes more often found Create access allows users to create Search access allows users to Of course programs list the new files files in field 117 or in effect delete the information in applications include records or fields a directory these criteria can be used in conjunction with one another For example an organization may give authorized individuals write access to an application within the office but only read access during normal working hours Depending upon the technical mechanisms if at any time from they dial-in available to implement logical access control a variety of access permissions and restrictions are possible No discussion can present wide all possibilities 17 2 Policy The Impetus for Access Controls is made by management application subsystem or group of a official responsible for a particular system systems The development of an access control policy may not be an easy endeavor It requires Logical access controls are a technical means of implementing policy decisions Policy balancing the often-competing interests of security operational requirements and userfriendliness 117 In addition technical constraints have to be considered Deleting information does not necessarily physically remove the data from the storage media This can have serious implications for information that must be kept confidential See Disposition of Sensitive Information CSL Bulletin NIST October 1992 197 Automated Technical Controls IV This chapter discusses issues relating to the A few simple examples of specific policy issues are technical implementation of logical access controls - not provided below the actual policy decisions as to who should have what it important to recognize is however that comprehensive system-specific policy type of access These is significantly more complex decisions are typically included in systemspecific policy as discussed in Chapters 5 and 1 The director of an could decide that 10 all organization's personnel office clerks can update increase the efficiency of the office Once all files to Or the director could decide that clerks can only view and update these policy decisions have been made specific files to help prevent information browsing they will be implemented or enforced through logical access controls In doing so it is 2 important to realize that the capabilities of various types of technical mechanisms for logical access control vary greatly In a disbursing office a single individual is usually prohibited from both requesting and authorizing that a particular payment be made This is a policy decision taken to reduce the likelihood of embezzlement and 118 fraud Technical 17 3 3 Decisions the system Implementation Mechanisms may also be made itself senior information resources may decide Many mechanisms have been developed to significantly in terms precision sophistication and cost management used of These to official agency systems that process information protected by the Privacy Act provide internal and external access controls and they vary that regarding access to In the government for example the may not be process public-access database applications methods are not mutually exclusive and are often employed in m combination Managers need to analyze their organization's protection requirements to select the most appropriate cost-effective logical access controls 17 3 1 Internal Access Controls Internal access controls are a logical means of separating what defined users or user groups can or cannot do with system resources Five methods of internal access control are discussed in this section passwords encryption access control 17 3 1 1 lists constrained user interfaces and labels Passwords Passwords are most often associated with user authentication See Chapter are also used to protect data and applications accounting application 118 Some policies may may 16 However they on many systems including PCs For instance an require a password to access certain financial data or to invoke a not be technically implementable appropriate technical controls 198 may simply not exist Logical Access Controls 17 restricted application or function of an application Password-based access control often inexpensive because it is is already included in a 119 The use of passwords as a means of access control large variety of applications can result in a proliferation of passwords that can may reduce find it difficult to However users remember additional application passwords which if written ov m security ------------ down m or poorly chosen can lead to their compromise Password-based access controls for the user has access to the operating system and Chapter PC applications are often easy to circumvent knowledge of what to do As discussed if in passwords 16 there are other disadvantages to using 17 3 1 2 Encryption Another mechanism that can be used for logical access control is encryption Encrypted information can only be decrypted by those possessing the appropriate cryptographic key This especially useful strong physical access controls cannot be provided such as for laptops or if floppy diskettes Thus for example laptop stolen the information is control it is if For example information is encrypted on a laptop computer and the cannot be accessed While encryption can provide strong access accompanied by the need affect availability is lost for strong key management Use of encryption may also or stolen keys or read write errors may prevent the decryption of the information See the cryptography chapter 17 3 1 3 Access Control Lists Access Control Lists ACLs refer to a register processes who have been of 1 users including groups machines given permission to use a particular system resource and 2 the types of access they have been permitted ACLs vary considerably in their capability certain pre-set groups e g owner group more flexibility explicitly be and flexibility at the discretion upon how Note files that this allow much can be used to more advanced ACLs access can the controls are technically implemented ACLs e g permission bits are a widely available means of providing access control on multiuser systems In 19 ACLs ACLs of the policymaker and implemented by the security administrator or Elementary ACLs Elementary access rights to only allow specifications for such as user-defined groups Also more advanced deny access to a particular individual or group With individual user depending 1 Some and world while more advanced or other system resources password is normally in is this scheme a short predefined list maintained addition to the one supplied 199 initially to log onto the system of the IV Technical Controls Elementary ACLs are typically based on the Example of Elementary ACL for concepts of owner group and world For each of these a set of access modes typically Owner chosen from read write execute and delete is the file payroll PAYMANAGER Access Read Write Execute Delete by the owner or custodian of the The owner is usually its creator some cases ownership of resources specified resource though in may be automatically assigned to project Access Read Write Execute Delete 'World administrators regardless of the identity of the creator File owners often have COMPENSATION-OFFICE Group Access all None privileges for their resources In addition to the privileges assigned to the owner each resource is named associated with a group of users Users who are members of the group can be granted modes of access distinct from nonmembers who belong to the rest of the world that includes all of the system's users User groups may be arranged according to departments projects or other ways appropriate the particular organization For example groups may be established for Personnel and Accounting departments The system administrator technically maintaining and changing the is the name implies not particularly flexible It may not be access without being granted access easily share information without exposing to the world since the list is situation in it the would be easier from the file mechanism be it were desired to it for the access control administrator to five rather than grant access to it away 45 people Or consider the case of a complex application in which many groups of users are defined disclose information that should be restricted ACLs If simply grant access to that group and take by world This may Unfortunately elementary 50 employees exclude five of the individuals from that group predefined to owner may make it which a group name has already been established for only include one group If two groups wish to available to be read why would desirable to explicitly deny access Consider a who is a member of the file's group may not be possible for two groups to share information an granted access Since one would presume that no one would have individual it may be however the technology possible to explicitly deny access to an Also members of the normally responsible for membership of a group based upon input from the owners custodians of the particular resources to which the groups As is for desired for have no some reason to prohibit Ms It generating a particular report perhaps she investigation In a situation in to easily permit such sharing may be X from is under which group names are used and perhaps modified by others this explicit denial Advanced ACLs Like elementary ACLs advanced ACLs control based Xs access - provide a form of access upon a logical registry may be a safety check to restrict Ms in case someone were to redefine a group with access They to include do however provide finer precision in control 200 to the report generation function Ms X She would still be denied access 17 Logical Advanced ACLs can be very complex information sharing useful in many They Example of Advanced ACL fo situations provide a great deal of flexibility in R W W L Carnahan - - - B Guttman R E flexibility also E Roback R W W challenge to H Smith R - - PAY-OFFICE R - - world - - - paymgr implementing system-specific policy and allow meet the security for customization to requirements of functional managers Their makes them more of a manage The rules for determining access conflicting all in the face ACL entries of apparently are not uniform across When R Anderson Often used in 2 E such systems their correct use User Interfaces conjunction with ACLs are constrained user interfaces which restrict users' access by never allowing them to request the use of information functions or other to specific functions specific D E ll are introduced they should be coupled with training to ensure 17 3 1 4 Constrained E implementations and can be confusing to security administrators Access Controls system resources for which they do not have access Three major types exist 1 menus database views and 3 physically constrained user interfaces Constrained user interfaces can provide a form of access control how that closely an organization operates models Many Menu-driven systems are a common constrained user systems allow administrators to restrict users' ability to that are where menus on the Users can only execute commands provided by the administrator typically restricting users is Database views is in the through restricted shells which The use of menus and a shells form of a menu Another means of limit the system commands the user can invoke can often make the system easier to use and can help reduce errors mechanism for restricting user access to data contained in a database be necessary to allow a user to access a database but that user in the different users are provided different same system HnaanHHBnHBHHanH use the operating system or application system directly interface database e g not all fields of a record nor all records may not need access to in the database all It may the data Views can be used complex access requirements that are often needed in database situations such as those field For example consider the situation where clerks maintain personnel records in a database Clerks are assigned a range of clients based upon last name e g to enforce based on the content of a A-C D-G Instead of granting a user access the record based upon the first letter of the to last all records the view can grant the user access to name field Physically constrained user interfaces can also limit a user's ATM machine abilities A common example which provides only a limited number of physical buttons 201 is to select options an no IV Technical Controls alphabetic keyboard is usually present 17 3 1 5 Security Labels Data Categorization A security label is a designation assigned to a resource such as a file One tool Labels can be used that is used to increase the ease of security labelling is categorizing data for a variety of purposes including controlling by similar protection requirements For example a label could be access specifying protective measures or developed for organization proprietary data This indicating additional handling instructions In label many implementations once only to the organization's employees Another label has been set this designator public data could be used to cannot be changed except it would mark information is that can be disclosed mark information that available to anyone perhaps under carefully controlled conditions that are subject to auditing When used for access control labels are also assigned to user sessions Users are permitted to initiate sessions with specific labels only For example a file bearing the label Organization Proprietary Information would not be accessible readable except during user sessions with the corresponding sessions The label labels Moreover only a restricted set of users of the session and those of the from the session This ensures on the system turn to label output throughout its life files would be able to initiate such accessed during the session are used in that information is uniformly protected Labels are a very strong form of access control however they are often inflexible and For systems with stringent security requirements can be expensive to administer Unlike such as those processing national security permission bits or access control information labels lists labels cannot ordinarily be changed Since labels are may be useful in access control HHHMMMHnHmnHanH permanently linked to specific information data cannot be disclosed by a user copying information and changing the access to that the information is more accessible than the original arbitrarily designate the accessibility of files owner By removing copy Organization Proprietary Information In the into a example above file it with a different prevents inappropriate disclosure but can interfere with legitimate extraction of so that users' ability to they own opportunities for certain kinds of errors and malicious software problems are eliminated possible to intended file human would not be label This some information Labels are well suited for consistently and uniformly enforcing access restrictions although their administration and inflexibility can be a significant deterrent to their use 202 17 Logical Access Controls 17 3 2 External Access Controls One of the most common PPDs is the dial-back modem A typical dial-back modem sequence External access controls are a means of controlling interactions password The and outside people systems and services performs a table lookup for the password provided External access controls use a wide variety of e g a computer that is password the methods often including a separate physical device modem and enters modem hangs up on the user and follows a user calls the dial-back between the system is found the initiate the session The return call protect against the use of lost or system being protected and a network accounts This is if modem places a return call to the user at a previously specified between the a number itself also to helps to compromised however not always the case Malicious hackers can use such advance functions as 17 3 2 1 Port Protection Devices Fitted to a call forwarding to reroute calls communications port of a host computer a port protection device PPD authorizes access to the port functions A PPD can be itself own access or it may be prior to and independent of the computer's a separate device in the communications stream incorporated into a communications device e g a modem PPDs 120 control typically require a separate authenticator such as a password in order to access the communications port 17 3 2 2 Secure Gateways Firewalls Often called firewalls secure gateways block or between a private 121 network and a larger more filter access between two networks often public network such as the Internet which attract malicious hackers Secure gateways allow internal users to connect to external networks and at the same time prevent malicious hackers from compromising the Some secure gateways are set up to allow which has known or suspected set Some make to disallow 122 to pass through except for specific traffic vulnerabilities or security problems up Other secure gateways are secure gateways can all traffic internal systems all traffic such as remote log-in services except for specific types such as e-mail access-control decisions based on the location of the requester There are several technical approaches and mechanisms used to support secure gateways 120 121 Typically PPDs are found only in serial communications streams Private network is somewhat of a misnomer Private does not mean that the organization's inaccessible to outsiders or prohibits use of the outside network from insiders or the network It also does not mean that all the information network or part of a network 122 is in network is totally would be disconnected on the network requires confidentiality protection It does mean that a some way separated from another network Questions frequently arise as to whether secure gateways help prevent the spread of viruses In general having a gateway scan transmitted would have to handle files for many viruses requires different file formats more system overhead than is practical especially since the scanning However secure gateways may reduce the spread of network worms 203 Technical Controls IV Because gateways provide security by restricting services or traffic they can affect a Types of Secure Gateways system's usage For this reason firewall There are many types of secure gateways Some of experts always emphasize the need for policy so that appropriate officials decide how the routers organization will balance operational needs and most common are packet filtering the or screening proxy hosts bastion hosts dual-homed gateways and screened-host gateways security In addition to reducing the risks from malicious hackers secure gateways have several other benefits They can reduce internal security overhead since they allow an organization to concentrate security efforts number of machines This is similar needing a guard on every floor A second benefit central is A secure the centralization of services management point Chapter guard on the to putting a for various services such as first system on a limited floor of a building instead of gateway can be used to provide a advanced authentication discussed in Having a central management point 16 e-mail or public dissemination of information can reduce system overhead and improve service 17 3 2 3 Host-Based Authentication Host-based authentication grants access based upon An example of host-based the identity of the host originating the authentication is the request instead of the identity of the user Network File System NFS which allows a server making the request Many network make to systems directories available to specific machines applications in use today use host-based authentication to determine whether access Under certain circumstances it is easy to masquerade as the legitimate file iiiliiilililiiiiiiiiliB is allowed fairly host especially if the masquerading host is physically located close to the host being impersonated Security measures to protect against misuse of some host-based authentication systems are available more secure identification of the client host e g Secure RPC 123 uses DES to provide a Administration of Access Controls 17 4 One of the most complex and challenging aspects of access control administration involves implementing monitoring modifying testing and terminating user accesses on the system These can be demanding tasks even though they typically do not include making the actual decisions as 123 RPC or Remote Procedure Call is the service used to implement NFS 204 17 to the type of access each user may have 124 Logical Access Controls Decisions regarding accesses should be guided by organizational policy employee job descriptions and tasks information sensitivity user need-to- know determinations and many other factors There are three basic approaches to administering access controls centralized System and Security Administration decentralized or a combination of these Each has relative Which disadvantages The administration of systems and security requires access to advanced functions such as setting up a user account The individuals who technically set up advantages and is most appropriate in a given situation will depend upon the particular and modify who has access to what are very powerful organization and users on the system hey are often called system or its circumstances security administrators On some systems these users are referred to as having privileged accounts 17 4 1 Centralized Administration The type of access of these accounts Using centralized administration one office or individual controls is considerably responsible for configuring access As example varies Some administrator privileges for may allow an individual to administer only one application or subsystem while a higher users' information processing privileges needs change their accesses can be modified may allow for level of oversight and establishment of subsystem administrators only through the central office usually after requests have been approved by the appropriate official Normally users This allows very use This control over information because the ability make changes resides with very few individuals Each user's account can be and closing all individual leaves the organization relatively I A precautions such as ensuring that administrator passwords are robust and changed regularly are accesses for any user can be easily accomplished can help protect the security account from compromise Furthermore additional to centrally monitored who are security administrators have two accounts one for regular use and one for security strict if important to minimize opportunities for unauthorized that individuals to gain access to these functions Since few individuals oversee the process consistent and uniform procedures and criteria are usually not difficult to enforce when changes However are needed quickly going through a central administration office can be frustrating and time-consuming 17 4 2 Decentralized Administration In decentralized administration access is directly controlled by the owners or creators of the files often the functional manager This keeps control in the hands of those most accountable for the information most familiar with 124 As discussed it and its uses and best able to judge who needs what kind of in the policy section earlier in this chapter those decisions are usually the responsibility of the applicable application manager or cognizant management official Chapters 5 and 10 205 See also the discussion of system-specific policy in Technical Controls IV access This and may lead however to a lack of consistency among owners creators as to procedures criteria for granting user accesses centrally it may be much more on the system at and capabilities Also when requests are not processed form a systemwide composite view of all user accesses Different application or data owners may inadvertently difficult to any given time implement combinations of accesses that introduce conflicts of interest or that are way not in the organization's best interest properly terminated when an employee 125 It may also be difficult to ensure that some other all accesses are transfers internally or leaves an organization Hybrid Approach 17 4 3 A hybrid approach combines centralized and decentralized administration arrangement is that central administration is their control The main disadvantage One typical responsible for the broadest and most basic accesses and the owners creators of files control types of accesses or changes under in to a hybrid approach is in users' abilities for the files adequately defining which accesses should be assignable locally and which should be assignable centrally Coordinating Access Controls 17 5 It is vital that access controls protecting a system work together At a minimum three basic types of access controls should be considered physical operating system and application In general access controls within an application are the most specific However for application access controls to be fully effective they need to be supported by operating system access controls Otherwise access can be made to application resources without going through the application 126 Operating system and application access controls need to be supported by physical access controls 17 6 Interdependences Logical access controls are closely related to many other controls Several of them have been discussed in the chapter Policy and Personnel The most fundamental interdependences of logical access control are with policy and personnel Logical access controls are the technical implementation of system-specific and organizational policy which stipulates who should be able to access what kinds of information applications and functions These decisions are normally based on the principles of 125 126 Without necessary review mechanisms central administration does not a priori preclude A from viewing File F However if A from viewing File F User A can use a utility program or For example logical access controls within an application block User operating systems access controls do not also block User another application to view the this file 206 17 Logical Access Controls separation of duties and least privilege Audit Trails Also it is would be As discussed earlier logical access controls can be difficult to implement correctly sometimes not possible to make logical access control as precise or fine-grained as ideal for an organization In such situations users may either deliberately or inadvertently abuse their access For example access controls cannot prevent a user modifying data the user provides a way is authorized to modify even if to identify abuse of access permissions the modification It is also provides a incorrect means from Auditing to review the actions of system or security administrators and Authentication Identification In most logical access control scenarios the identity of the The access control identity This means that user must be established before an access control decision can be made process then associates the permissible forms of accesses with that access control can only be as effective as the I A process employed Physical Access Control Most systems can be compromised machine i e CPU or other major components by different software if for the system someone can physically access the for example restarting the system with Logical access controls are therefore dependent on physical access controls with the exception of encryption which can depend solely on the strength of the algorithm and the secrecy of the key 17 7 Cost Considerations Incorporating logical access controls into a computer system involves the purchase or use of access control mechanisms their implementation and changes in user behavior Direct Costs Among the direct costs associated with the use of logical access controls are the purchase and support of hardware operating systems and applications that provide the controls and any add-on security packages The most access control is significant personnel cost in relation to logical usually for administration e g initially determining assigning and keeping access rights up to date Label-based access control commercial products but are becoming more at is available in a limited number of greater cost and with less variety of selection Role-based systems available but there are significant costs involved in customizing these systems for a particular organization Training users to understand and use an access control system is another necessary cost Indirect Costs The primary a computer system in is indirect cost associated with introducing logical access controls into the effect on user productivity There may be additional overhead involved having individual users properly determine when under their control the protection attributes of information Another indirect cost that may arise results from users not being able to immediately access information necessary to accomplish their jobs because the permissions were 207 IV Technical Controls incorrectly assigned or have changed This situation is familiar to most organizations that put strong emphasis on logical access controls References Abrams M D et al A Generalized Framework for Access Control An Informal Description McLean VA Mitre Corporation 1990 Baldwin R W Naming and Grouping Privileges to Simplify Security Management Databases 1990 IEEE Symposium on Computer Society Caelli William NY Stockton Press May Security in Large and Privacy Proceedings Oakland CA IEEE 1990 pp 116-132 Dennis Longley and Michael Shain Information Security Handbook New York Press 1991 Cheswick William and Steven Bellovin Firewalls and Internet Security Reading MA Addison- Wesley Publishing Company 1994 Curry D Improving the Security of Your SRI UNIX System ITSTD-721-FR-90-21 Menlo Park CA International 1990 Dinkel Charles Secure Gaithersburg MD Data Network System Access Control Documents NISTIR 90-4259 National Institute of Standards and Technology 1990 and M Kratz Information Systems Security A Practitioner's NY Van Nostrand Reinhold 1993 Especially Chapters 1 9 and 12 Fites P Garfinkel S and Spafford G CA O'Riley Associates UNIX Inc Security Checklist Practical Reference New UNIX Security York Sebastopol 1991 pp 401-413 Gasser Morrie Building a Secure Computer System New York NY Van Nostrand Reinhold 1988 Haykin M and R Warner Smart Card Technology Control Spec New Methods for Computer Access Pub 500-157 Gaithersburg MD National Institute of Standards and Technology 1988 Landwehr C C Heitmeyer and ACM Transactions on J McLean A Security Model for Military Message Systems Computer Systems Vol 2 No 3 August 1984 National Bureau of Standards Guidelines for Security of Computer Applications Federal 208 17 Logical Access Controls Information Processing Standard Publication 73 June 1980 Pfleeger Charles Security in Computing President's Council on Systems Washington S Integrity DC Englewood Cliffs NJ Prentice-Hall Inc 1989 and Efficiency Review of General Controls in Federal Computer on Integrity and Efficiency October 1988 President's Council Salamone Internetwork Security Unsafe at Any Node Data Communications 22 12 1993 pp 61-68 Sandhu R Transaction Control Expressions for Separation of Duty Fourth Annual Computer Security Applications Conference Proceedings Orlando FL December 1988 pp 282-286 Thomsen D J Role-based Application Design and Enforcement Fourth IFIP Workshop on Database Security Proceedings International Federation for Information Processing Halifax England September 1990 T Whiting Understanding VAX VMS Security 695-698 209 Computers and Security 11 8 1992 pp Chapter 18 AUDIT TRAILS Audit trails activity maintain a record of system both by system and application The Difference Between Audit Trails and Auditing processes and by user activity of systems and applications 127 In conjunction with An audit trail is a appropriate tools and procedures audit can events about an operating system an application or assist in detecting security violations performance problems and flaws applications Audit trails series of records of computer trails user activities in audit 128 A computer system may have several each devoted trails to a particular type of activity may be used Auditing as either a support the review is operational for regular system operations or a kind of insurance policy or as both of these and analysis of management and technical controls The auditor can obtain valuable information about activity on a As computer system from the audit trail Audit trails insurance audit trails are maintained but are improve the auditability of the computer system not used unless needed such as after a system Auditing outage As is discussed in the assurance chapter wBmmmma--mm nmmmmm mmmmma mm a support for operations audit are used to help system administrators trails ensure that the system or resources have not been harmed by hackers insiders or technical problems This chapter focuses on audit which auditing is trails as a technical control rather than the process of security a review and analysis of the security of a system as discussed in Chapter 9 This chapter discusses the benefits and objectives of audit common trails the types of audit trails and some implementation issues Benefits 18 1 and Objectives An event is any action that happens on a computer Audit trails system Examples include logging into a system can provide a means to help executing a program and opening a accomplish several security-related objectives file including individual accountability 127 Some events logs security experts made by make a distinction between an audit trail and an audit log as follows a log a particular software package trail is trails and The type and amount of detail recorded by is a record of an entire history of an event possibly using several However common usage within the security community does not make use of this document does not distinguish between 128 and an audit definition Therefore this logs audit trails vary application and the managerial decisions Therefore when we that capabilities vary widely 211 by both the technical capability of the logging state that audit trails can the reader should be aware IV Technical Controls reconstruction of events intrusion detection and problem analysis 18 1 1 Individual Accountability Audit trails are a technical mechanism that help managers maintain individual accountability By advising users that they are personally accountable for their actions which are tracked by an audit logs user activities managers can help promote proper user behavior trail that likely to attempt to circumvent security policy if they know 129 that their actions will Users are less be recorded in an audit log For example audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data An database the size of the audit file may record trail and the e g introducing errors into a before and after versions of records Depending capabilities of the audit logging tools this may be upon very resource- Comparisons can then be made between the actual changes made to records and what was expected This can help management determine if errors were made by the user by the system or application software or by some other source intensive Audit trails work in concert with logical access controls which restrict use of system resources Granting users access to particular resources usually means that they need that access to accomplish their job Authorized access of course can be misused which analysis is useful is where audit trail While users cannot be prevented from using resources to which they have legitimate access authorization audit trail analysis is used to examine their actions For example consider a personnel office in which users have access to those personnel records for which they are responsible Audit trails can reveal that an individual printing far is more records than average user which could indicate the selling of personal data Another example engineer who is using a computer for the design of a reveal that an outgoing modem was new product Audit trail the may be an analysis could used extensively by the engineer the week before quitting This could be used to investigate whether proprietary data files were sent to an unauthorized party 18 1 2 Reconstruction of Events Audit more trails problem has occurred Damage can be of system activity to pinpoint how when and why can also be used to reconstruct events easily assessed by reviewing audit normal operations ceased Audit errors during trail trails after a analysis can often distinguish between operator-induced which the system may have performed exactly as instructed or system-created from a poorly tested piece of replacement code If for example a system errors e g arising fails 129 or the integrity of a For a file fuller discussion of either program or data is questioned an analysis of the audit changing employee behavior see Chapter 212 13 trail 18 Audit Trails can reconstruct the series of steps taken by the system the users and the application Knowledge of the conditions that existed at the time of for example a system crash can be useful in avoiding Additionally if a technical problem occurs e g the corruption of a data future outages audit trails can aid in the recovery process e g reconstruct the by using the record of changes made file to file 18 1 3 Intrusion Detection Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized have been designed and If audit trails access implemented to record appropriate information they can assist in intrusion iii iihii mini w i mi n wimimiiium Although normally thought of as a detection real-time effort intrusions can be detected in real time by examining audit records as they are created or through the use of other kinds of warning flags notices or after the fact e g by examining audit records in a batch process Real-time intrusion detection access to the system of for It may example a virus or is primarily aimed at outsiders attempting to gain unauthorized also be used to detect changes in the system's worm attack 130 There may be difficulties in performance indicative implementing real-time auditing including unacceptable system performance After-the-fact identification successful may was attempted or was damage assessment or reviewing controls that were indicate that unauthorized access Attention can then be given to attacked 18 1 4 Audit Problem Analysis trails may also be used as on-line tools to help identify they occur This application is is deemed may be implemented be difficulties problems other than intrusions as often referred to as real-time auditing or monitoring If a system or to be critical to an organization's business or mission real-time auditing to monitor the status of these processes although as noted above there can with real-time analysis system operated normally i e An analysis of the audit trails that an error may be able to verify that the may have resulted from operator error as opposed to trails may be complemented by system performance a system-originated error Such use of audit logs For example a outgoing 130 significant increase in the use of modem use Viruses and itself to existing system resources e g disk file space or could indicate a security problem of malicious code A virus is a code A worm is a self-replicating program worms of forms executables 213 segment that replicates by attaching copies of Technical Controls IV Audit Trails and Logs 18 2 A system can maintain several different audit trails concurrently There are typically two kinds of audit records 1 an event-oriented log and 2 a record of every keystroke often called keystroke monitoring Event-based logs usually contain records describing system events application events or user events An audit trail should include sufficient information to establish what events occurred and who or what caused them In general an event record should specify when the event occurred the user program or command used to initiate the event and the result Date and time can help determine if the user was a masquerader or the actual person specified ID associated with 18 2 1 the event the 131 Keystroke Monitoring Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session Keystroke monitoring is usually considered a special case of audit trails Examples of keystroke monitoring would include viewing characters as they are typed by users reading users' electronic mail and viewing other recorded information typed by users Some forms of routine system maintenance keystroke monitoring if may record user keystrokes This could constitute the keystrokes are preserved along with the user identification so that an administrator could determine the keystrokes entered by specific users Keystroke monitoring conducted in an effort to protect systems and data from intruders who is access the systems without authority or in excess of their assigned authority Monitoring keystrokes typed by intruders can help administrators assess and repair 18 2 2 damage caused by intruders Audit Events System audit records are generally used to monitor and fine-tune system performance Application audit trails may be used to discern flaws in applications or violations of security policy committed within an application individuals accountable for their actions 131 The Department of Justice has advised monitoring is User audits records are generally used An that an analysis of user audit records ambiguity in U S law makes it to hold may expose a variety unclear whether keystroke considered equivalent to an unauthorized telephone wiretap The ambiguity results from the fact that current laws were written years before such concerns as keystroke monitoring or system intruders Additionally no legal precedent has been set to determine whether keystroke monitoring administrators conducting such monitoring might be subject to criminal and civil is liabilities advises system administrators to protect themselves by giving notice to system users if became legal or illegal prevalent System The Department of Justice keystroke monitoring is being conducted Notice should include agency organization policy statements training on the subject and a banner notice on each system being monitored NIST CSL Bulletin March 1993 214 18 Audit Trails of security violations which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges Sample System Log File Showing Authentication Messages Jan Jan Jan Jan Jan Jan Jan Feb Feb Feb 27 17 14 04 hostl 27 17 15 04 hostl 27 17 18 38 hostl 27 17 19 37 hostl 28 09 46 53 hostl 28 09 47 35 hostl 28 09 53 24 hostl 12 08 53 22 hostl 17 08 57 50 hostl 17 13 22 52 hostl The system access to files that itself files login ROOT LOGIN console shutdown reboot by root login ROOT LOGIN console reboot rebooted by root su su root' succeeded for shutdown reboot by userl su su root' succeeded for su su root' succeeded for date set by userl su su root' succeeded for ' ' ' ' userl on dev ttypO userl on dev ttypl userl on dev ttypl userl on dev ttypO enforces certain aspects of policy particularly system-specific policy such as and access to the system implement the policy is Monitoring the alteration of systems configuration itself important If special accesses e g security administrator access have to be used to alter configuration files the system should generate audit records whenever these accesses are used Application-Level Audit Record for a Mail Delivery System Apr 9 11 20 22 Apr 9 11 20 23 stat-Sent Apr 9 11 59 51 Apr 9 11 59 52 stat Sent Apr 9 12 43 52 Apr 9 12 43 53 stat Sent Sometimes provide hostl AA06370 from user2Ghost2 size 3355 class 0 hostl AA06370 to userl@hostl delay 00 00 02 hostl AA06436 f rom user4@host3 size 1424 class 0 hostl AA06436 to userl@hostl delay 00 00 02 hostl AA06441 from user2@host2 size 2077 class 0 hostl AA06441 to userl@hostl delay 00 00 G1 a finer level of detail than system audit trails this greater level record not only of recorded who invoked detail application sent mail It If is required Application audit trails can an application is critical it can be desirable to the application but certain details specific to each use For example consider an e-mail application whom they It may be desirable to record who sent mail as well as to and the length of messages Another example would be may be useful to record who accessed what database as well 215 that of a database as the individual rows IV Technical Controls or columns of a table that were read or changed or deleted instead of just recording the execution of the database program User Log Showing a Chronological List of Commands Executed by Users ttypO ttypO ttypO ttypO ttyp2 ttyp2 ttyp2 ttyp2 ttyp2 ttyp2 userl userl userl userl user2 user2 user2 user2 user2 user2 rep Is clear rpcinfo nrof f sh mv sh col man A user audit trail monitors initiated by the user Flexibility is e g and logs user access of a a critical feature of audit administrator would have file 0 02 0 14 0 05 0 20 0 75 0 02 0 02 0 03 0 09 0 14 sees sees sees sees sees sees sees sees sees sees activity in a record or trails Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr 8 8 8 8 8 8 8 8 8 8 16 02 16 01 16 01 16 01 16 00 16 00 16 00 16 00 16 00 15 57 system or application by recording events field use of a modem Ideally from a security point of view a system the ability to monitor all system and user activity but could choose to log only certain functions at the system level and within certain applications how much to log and how much The decision of to review should be a function of application data sensitivity and should be decided by each functional manager application owner with guidance from the system administrator and the computer security manager officer weighing the costs and benefits of the logging 18 2 2 1 132 System-Level Audit Trails A system audit trail should be able to identify failed log-on attempts especially If a system-level audit capability exists the audit trail should capture at if the system does not limit number of failed log-on attempts Unfortunately some system-level audit trails cannot detect attempted log-ons and therefore cannot log them for later the a minimum any attempt to log on successful or unsuccessful the log-on ID date and time of each log-on review These audit attempt date and time of each log-off the successful log-ons and subsequent activity devices used and the function s performed effectively detect intrusion once logged on attempts e g the applications that the is trails can only monitor and log To a record of failed log-on required user tried successfully or unsuccessfully to 132 In general audit logging can regulations and policies that may have privacy implications Users should be aware of applicable privacy laws apply in such situations 216 18 invoke System-level logging also typically includes information that is Audit Trails not specifically security- such as system operations cost-accounting charges and network performance related Audit Trails 18 2 2 2 Application-Level System-level audit trails may may not be able to track and log events within applications or not be able to provide the level of detail needed by application or data owners the system administrator or the and log user computer security manager In general application-level audit activities including opened and closed data specific actions trails monitor files such as -- reading editing and deleting records or fields and printing reports Some applications be sensitive enough from a data may Audit Logs for Physical Access availability Physical access control systems confidentiality and or integrity perspective that a before and after picture e g a card key entry system or an alarm system use software and audit of each trails similar to general-purpose computers modified record or the data element s following are examples of criteria that changed within a record should be captured selecting by the audit 18 2 2 3 used in to log trail The date and time the access was attempted or made should be logged as should the gate or door through which the access was attempted or made and the individual or user ID making the attempt to access User Audit Trails User audit which events The may be trails o can usually all commands by the o all the gate or door log be monitored and logged by noncomputer audit trails just as they are for Invalid attempts should directly initiated user identification computer-system audit trails Management should be and made aware authentication attempts and o files if someone attempts to gain access during unauthorized hours and resources accessed Logged information should also include attempts to add modify or delete physical access privileges e g It is most useful also recorded options and parameters are from commands It is much if more useful to know a log file e g to hide unauthorized actions than to know command granting a access to the building or new office and of course deleting their old access as that a user tried to delete applicable the user merely issued the delete possibly for a personal data new employee granting transferred employees access to their As with system and application audit trails file auditing of noncomputer functions can be implemented to send messages to security personnel indicating valid or 18 3 invalid attempts to gain access to controlled spaces Implementation Issues In order not to desensitize a guard or monitor all access should not result in messages being sent to a Audit trail data requires protection since the data should be available for use and is not useful if it is screen when needed Only exceptions such as failed access attempts should be highlighted to those monitoring access not accurate Also the 217 IV Technical Controls and implemented audit best planned Audit data may be reviewed trails trail is of limited value without timely review of the logged needed often triggered by occurrence of a periodically as some combination of these System managers and computer security personnel should determine how long audit security event automatically in realtime or in administrators with guidance from trail data will be maintained - either on the system or in archive may have Following are examples of implementation issues that files to be addressed when using audit trails 18 3 1 Protecting Audit Trail Data Access to on-line audit logs should be Computer strictly controlled security managers and system administrators or managers should have access for review purposes however security and or administration personnel who maintain logical access functions may have no need for access to audit logs It is particularly important to ensure the integrity of audit trail data against modification way to do devices this is to The their tracks use digital signatures See Chapter 19 Another way is audit trail files needs to be protected since for example intruders by modifying audit trail Audit records access controls to help prevent unauthorized access be particularly important when legal issues arise trail One to use write-once may try to cover records should be protected by strong The integrity of audit such as when audit trails trail information may are used as legal evidence This may for example require daily printing and signing of the logs Questions of such legal issues should be directed to the cognizant legal counsel The is may also be protected for example if the audit trail may be disclosure-sensitive such as transaction data confidentiality of audit trail information recording information about users that containing personal information e g before and after records of modification to income tax Strong access controls and encryption can be particularly effective data in preserving confidentiality Review of Audit Trails 18 3 2 Audit trails can be used to review what occurred after an event for periodic reviews and for time analysis Reviewers should activity easier if time or They need the audit trail some other know what to understand to look for to be effective in spotting unusual what normal activity looks like Audit trail review can be function can be queried by user ID terminal ID application name date and set of parameters to run reports of selected information Audit Trail Review After an Event Following a known real- violation of existing requirements by a known system user or or application software problem a some unexplained system or user problem the appropriate system-level or application-level administrator should review the audit 218 trails 18 Review by the application data owner would normally involve a separate trail data to determine if Audit Trails report based upon audit their resources are being misused Periodic Review of Audit Trail Data Application owners data owners system administrators data processing function managers and computer security managers should determine review of audit activities trail records is This determination should have a direct correlation to the frequency of periodic reviews of audit trail data Real-Time Audit Analysis Traditionally audit trails are analyzed in a batch Audit records are archived during that interval for intervals e g daily analysis tools can also be used in a real-time or near real-time fashion tools are based on audit records in real time is almost never feasible on large user or application and view 18 3 3 Tools for mode at regular Audit later analysis Such intrusion detection Manual review of multiuser systems due to the volume of audit reduction attack signature and variance techniques records generated However Many how much on the importance of identifying unauthorized necessary based it might be possible to view them in real time all records associated with a particular 133 Audit Trail Analysis types of tools have been developed to help to reduce the amount of information contained in audit records as well as to systems audit software can create very large trail distill The use of automated manually and a robust program Some from the raw useful information tools is likely to files data Especially which can be extremely on larger difficult to be the difference between unused audit analyze trail data of the types of tools include Audit reduction tools are preprocessors designed to reduce the volume of audit records to manual review Before a security review these tools can remove many audit records known to have little security significance This alone may cut in half the number of records in the facilitate audit trail These tools generally remove records generated by specified classes of events such as records generated by nightly backups might be removed Trends variance -detection tools look for anomalies construct more For example if in user or system behavior a user typically logs in indicate a security problem that may at 9 a m but appears events indicative of an unauthorized access attempt at 4 30 a m one morning is this may similar to keystroke monitoring though and may be 219 is a specific sequence of A simple example would be repeated failed log-in attempts This possible to need to be investigated Attack signature-detection tools look for an attack signature which 133 It is sophisticated processors that monitor usage trends and detect major variations legally restricted Technical Controls IV Interdependencies 18 4 The supports ability to audit many of the The following controls presented in this handbook paragraphs describe some of the most important interdependencies Policy is The most fundamental interdependency of audit trails is authorized access to what system resources Therefore violations of policy should be identified through audit Assurance System auditing into an audit trail is is trail data and Authentication Audit To be who what trails an important aspect of operational assurance The data recorded most cases the analysis of audit for their actions specifies directly or indirectly used to support a system audit The analysis of audit process of auditing systems are closely linked Identification it with policy Policy dictates is in some cases they trail data and the may even be the same thing In a critical part of maintaining operational assurance trails are tools often used to help hold users accountable held accountable the users must be known to the system usually accomplished through the identification and authentication process However as mentioned earlier audit trails a user is record events and associate them with the perceived user impersonated the audit trail will identify breakdowns trails in logical complement file restrict the this activity in use of system resources to two ways First may be used they to access controls or to verify that access control restrictions are behaving as expected for example permitted access to a the user ID If establish events but not the identity of the user Logical Access Control Logical access controls authorized users Audit i e if a particular user Second audit trails is erroneously included in a group are used to audit use of resources by those have legitimate access Additionally to protect audit trail files who access controls are used to ensure that audit trails are not modified Contingency Planning Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application In the event of a technical malfunction this log can be used to help reconstruct the state of the system or specific files Incident Response If a security incident occurs such as hacking audit records and other intrusion detection methods can be used to help determine the extent of the incident For file browsed or was a Trojan horse planted to collect passwords example was just one Cryptography Digital signatures can be used to protect audit trails from undetected modification This does not prevent deletion or modification of the audit an alert that the audit trail is but will provide has been altered Digital signatures can also be used with adding secure time stamps to audit records Encryption can be used audit trail information trail important 220 if in conjunction confidentiality of 18 18 5 Audit Audit Trails Cost Considerations trails many involve costs First some system overhead is incurred recording the audit trail The more human and machine Additional system overhead will be incurred storing and processing the records detailed the records the more overhead is required Another cost involves time required to do the analysis This can be minimized by using tools to perform most of the analysis Many simple analyzers can be constructed quickly and cheaply from system utilities More complex becoming available as off-the-shelf a system development may be prohibitively but they are limited to audit reduction and identifying particularly sensitive events tools that identify trends or sequences of events are slowly software If complex tools are not available for expensive The Some intrusion detection systems for example have taken years to develop of audit final cost identifying too many trails is the cost of investigating anomalous events If the system events as suspicious administrators may spend undue is time reconstructing events and questioning personnel References Fites P and M Kratz Information Systems Security Van Nostrand A Practitioner's Reference Reinhold 1993 especially Chapter 12 pp 331 Kim G and E Spafford Monitoring File System Integrity - on New York 350 UNIX Platforms Infosecurity News 4 4 1993 pp 21-22 Lunt T Automated Audit Trail Analysis for Intrusion Detection Computer Audit Update April 1992 pp 2-8 National Computer Security Center NCSC-TG-001 A Guide Version-2 Ft Meade MD to Understanding Audit in Trusted Systems 1988 National Institute of Standards and Technology Guidance on the Legality of Keystroke Monitoring Phillips P CSL Bulletin March W New Approach 1993 Identifies Malicious System Activity Signal 46 7 1992 pp 65-66 Ruthberg Z et al Guide to A System Development Life MD National Bureau of Standards Auditing for Controls and Security Cycle Approach Special Publication 500-153 Gaithersburg 1988 Stoll Clifford The Cuckoo's Egg New York NY Doubleday 1989 221 Chapter 19 CRYPTOGRAPHY Cryptography is a branch of mathematics based on the transformation of data important tool for protecting information and is used in many It provides an aspects of computer security For example cryptography can help provide data confidentiality integrity electronic signatures and advanced user authentication Although modern cryptography users can reap its benefits without understanding relies upon advanced mathematics mathematical underpinnings its This chapter describes cryptography as a tool wide spectrum of computer for satisfying a security needs and requirements It Cryptography can be used t0 Provide fundamental aspects of the basic cryptographic technologies and is traditionally some n Y security services such as electronic signatures and ensuring that data has not -r- specific ways cryptography can be applied to improve security The chapter also explores some of associated only with keeping data secret However modern cryptography describes p iiliiiBBiBiBBiBiBB the important issues that should be considered when 19 1 incorporating cryptography into computer systems Basic Cryptographic Technologies Cryptography relies upon two basic components an algorithm or cryptographic methodology and a key In modern cryptographic systems algorithms are complex mathematical formulae and keys are strings of bits For two parties to communicate they must use the same algorithm or algorithms that are designed to Many cryptographic work together keys must be kept secret sometimes algorithms are also kept In some cases they must also use the same key _ __ _ secret There are two basic types of cryptography secret key and public key There are two basic types of cryptography secret key systems also called symmetric bohhhhhrhhh h systems and public key systems also called asymmetric systems Table 19 1 compares some of the distinct features of secret and public key systems Both types of systems offer advantages and disadvantages Often the to form a hybrid system to exploit the strengths of each cryptography best meets its needs an organization and operating environment 223 first type To two are combined determine which type of has to identify its security requirements Technical Controls IV SECRET KEY PUBLIC KEY DISTINCT FEATURES CRYPTOGRAPHY CRYPTOGRAPHY NUMBER OF KEYS Single key Pair of keys TYPES OF KEYS Key One key is is secret one key PROTECTION OF KEYS Disclosure and is private and public Disclosure and modification modification for private keys and modification for public keys RELATIVE SPEEDS Slower Faster Table 19 1 19 1 1 Secret Key Cryptography two or more parties share the same key and that key is used to encrypt and decrypt data As the name implies secret key cryptography relies on keeping the key secret If the key is compromised the security offered by cryptography is severely reduced or eliminated Secret key cryptography assumes that the parties who share a key rely upon each In secret key cryptography other not to disclose the key and protect The best known secret key system is the it against modification Data Encryption Standard DES published by Secret key cryptography has been in use for centuries NIST Early forms merely transposed the written characters as Federal Information Processing -- -- to hide the message Standard FIPS 46-2 Although the adequacy of DES has at times been imhi--ii-- questioned these claims remain unsubstantiated and DES remains strong It is the most widely accepted publicly -- available cryptographic system today The American National Standards Institute ANSI has adopted DES as the basis for encryption integrity access control and The Escrowed Encryption Standard published as FIPS system See the discussion of Key Escrow Encryption 224 key management standards 185 also makes use of a in this chapter secret key 19 19 1 2 Public Cryptography Key Cryptography Whereas secret key cryptography uses a single key shared by two or more parties public Public key cryptography key cryptography uses a pair of keys for each requires the use of advanced mathematics is a modern invention and One of the keys of the pair is public m and the other is private The public key can be made known to other parties the private key must be kept confidential and must be known party only to its owner Both keys however need to be protected against modification Public key cryptography rely is particularly useful when upon each other or do not share a common systems One of the services The first public key systems is the parties wishing to communicate cannot key There are several public key cryptographic RSA which can provide many different security Digital Signature Standard DSS described later in the chapter is another example of a public key system 19 1 3 Hybrid Cryptographic Systems Public and secret key cryptography have relative advantages and disadvantages Although public key cryptography does not require users to share a faster equivalent implementations of secret key cryptography can run 1 000 to 10 000 times faster than public common key secret key cryptography is much TM key cryptography Secret key systems are often used for bulk data encryption and public key systems for automated key To maximize distribution the advantages and minimize the disadvantages of both secret and public key m i i hi TriTOTiwMimTTiWTinriiiriwTrannifii Miwiii ii ii i iimi cryptography a computer system can use both types in a complementary manner with each performing different functions Typically the speed advantage of secret key cryptography means that cryptography is used for applications that are less it is used for encrypting data Public key demanding to a computer system's resources such as encrypting the keys used by secret key cryptography for distribution or to sign messages 19 1 4 Key Escrow Because cryptography can provide extremely strong encryption efforts to lawfully perform electronic surveillance For example it if can thwart the government's strong cryptography encrypt a phone conversation a court-authorized wiretap will not be effective To meet is used to the needs of the government and to provide privacy the federal government has adopted voluntary key escrow cryptography This technology allows the use of strong encryption but also allows the government when legally authorized to obtain decryption keys held by escrow agents NIST has published the Escrowed Encryption Standard as FTPS 185 Under the Federal Government's 225 Technical Controls IV voluntary key escrow escrow authorities initiative the decryption keys are parts and given to separate split into Access to one part of the key does not help decrypt the data both keys must be obtained Uses of Cryptography 19 2 Cryptography is used to protect data both inside and outside the boundaries of a computer system Outside the computer system cryptography While computer system data in a is sometimes the only way to protect perhaps supplemented by cryptography However when in transit across communications lines or resident on someone else's computer data cannot be protected by the originator's 134 physical access controls Cryptography provides a solution by protecting data even when is no longer in the data normally protected with logical and physical access controls is logical or the data control of the Secret originator Key Encryption Decryption 19 2 1 Data Encryption One of the ways best Original Message Send the money on Friday 4 to obtain cost- effective data confidentiality is through the use of encryption Encryption transforms data called plaintext intelligible 135 Encryption Key into an Encrypted Message unintelligible form called ciphertext Drmf yjr proru pm Gtofsu This process is reversed through the process of decryption Once data 4- is Decryption encrypted the ciphertext does not Key have to be protected against disclosure modified it However if ciphertext is u- will not decrypt Original Decrypted Message Send the money on Friday correctly Both secret key and public key cryptography can be used for data encryption although not all public key algorithms provide for data encryption To use a secret key algorithm data 134 The is encrypted using a key The same key must be used to originator does not have to be the original creator of the data It can also be a guardian or custodian of the data 135 Plaintext can be intelligible to a human e g a novel or to a machine 226 e g executable code Cryptography 19 decrypt the data Use of Public Key Cryptography for Encryption Decryption When public key cryptography is used for encryption any party may Message Prepared by Person 4 use any other party's public key to encrypt a message corresponding private key can 4 decrypt and thus read the Encrypted Message Transmitted to Person message typically Encryption Person B's public key however only the party with the Since secret key encryption much faster is B Dtcryption Person B's private key is it A normally used for encrypting larger amounts of data DPlaintext 19 2 2 Integrity In Person computer systems it is A knows Even if to $10 000 intentional B can read the message if data has been erased added or may have no way of knowing what may be changed to do not or $1 000 may be It is therefore desirable to have an automated the means of detecting both and unintentional modifications of data While error detecting codes have long been used these are Person scanning were possible the individual correct data should be For example do changed that only not always possible for humans to scan information to determine modified Message Read by Person B more in communications protocols e g parity bits effective in detecting and correcting unintentional modifications They can be defeated by adversaries Cryptography can effectively detect both intentional and unintentional from being modified Both secret key ensure integrity Although newer public key methods modification however cryptography does not protect and public key cryptography can be used to may offer more flexibility than the older secret key method secret key integrity verification systems have been successfully integrated into When secret files key cryptography is many applications used a message authentication code and appended to the data To verify that the data has not with access to the correct secret key can recalculate the the original MAC and if MAC been modified MAC The new at is calculated from a later time any party MAC is compared with they are identical the verifier has confidence that the data has not been modified by an unauthorized party FTPS standard technique for calculating a 1 13 Computer Data Authentication specifies a MAC for integrity verification Public key cryptography verifies integrity by using of public key signatures and secure hashes secure hash algorithm is used to create a message digest The message digest called a hash 227 is A a Technical Controls IV short form of the message Anyone can private key of the message integrity that changes if the message is The hash modified is then signed with a recalculate the hash and use the corresponding public key to verify the 136 19 2 3 Electronic Signatures Today's computer systems store and process increasing numbers of paper-based documents form Having documents in What Is an Electronic Signature in electronic electronic eIectronic signature is a cryptographic mechanism form permits rapid processing and that performs a similar function to a written signature rr overall efficiency transmission and improves J r However approval of a paper document has traditionally signature T is needed therefore o that j o i who e g an e- signed the data and that was not modified after being signed This originator e g sender of an easo means the data the is rnail i can be recognized as having the same legal status as a written signature o used to verify the origin and contents of a mail message can verify electronic equivalent of a written signature message For example a recipient of data been indicated by a written What It is message cannot falsely deny having signed the In addition lil11111 to the integrity protections discussed above cryptography can provide a means of linking a document with a particular person as is done with a written signature Electronic signatures can use either secret key or public key cryptography however public key methods are generally easier to use Cryptographic signatures provide extremely strong proof that a message has not been altered and was signed by a specific key 137 based electronic signatures that However there mechanisms besides cryptographicperform a similar function These mechanisms provide some are other assurance of the origin of a message some verification of the message's integrity or both 136 in a Sometimes a secure hash secure location since new one based on 137 key it is used for integrity verification However may be possible for someone to this can be defeated if the hash is 138 not stored change the message and then replace the old hash with a the modified message owner of the key and the compromised by theft coercion or trickery then the electronic originator of a message may not owner of the key Although the binding of cryptographic keys to actual people is a significant Electronic signatures rely on the secrecy of the keys and the link or binding between the itself If a key be the same as the problem it is does not necessarily make electronic signatures less secure than written signatures Trickery and coercion are problems for written signatures as well In addition written signatures are easily forged 138 The strength of these implementation however used in mechanisms relative to electronic signatures varies in general electronic signatures are stronger depending on the specific and more flexible These mechanisms may be conjunction with electronic signatures or separately depending upon the system's specific needs and limitations 228 19 o Examination of the transmission path of a message When Cryptography messages are sent across a network such as the Internet the message source and the physical path of the message are recorded as a part of the message These can be examined electronically or manually to help ascertain the origin of a message o provider If two or more parties are communicating via a network provider may be able to provide assurance that messages originate from a given source and have not been modified Use of a value-added network third party network the o Acknowledgment statements The message may confirm the recipient of an electronic message's origin and contents by sending back an acknowledgement statement o Use of audit Audit trails trails can track the sending of messages and their contents for later reference Simply taking a of a written signature does not provide adequate security Such a digital picture digitized written signature could easily be copied no way to determine whether to the it is message being signed and 19 2 3 1 Secret Key legitimate from one electronic document to another with Electronic signatures on the other hand are unique will not verify if they are copied to another document Electronic Signatures Systems incorporating message authentication An electronic technology have been approved for use by the federal signature can be implemented government as a replacement for written signatures using secret key message authentication codes i MACs For example secret key and MAC that is o - if two on electronic documents i parties share a mmmmmmHHMnHHnBHaHMBHBBaMHHHMHHHHBnii one party receives data with a correctly verified using the may assume that the other party signed the data This assumes however two parties trust each other Thus through the use of a MAC in addition to data integrity a form of electronic signature is obtained Using additional controls such as key notarization and key attributes it is possible to provide an electronic signature even if the two shared key that party that the parties do not trust 19 2 3 2 Public each other Key Electronic Signatures Another type of electronic signature called a digital signature cryptography Data is electronically signed is implemented using public key by applying the originator's private key to the data To The exact mathematical process for doing this is not the speed of the process the private key applied to a shorter form of the data called a hash or is set The is this discussion of data The resulting message digest rather than to the entire stored or transmitted along with the data public key of the signer This feature important for digital signature increase can be signature can be verified by any party using the very useful for example 229 when distributing signed copies IV Technical Controls of virus-free software Any recipient Use of Public Key Cryptography can verify that the program remains for Digital Signature virus-free If the signature verifies Message Prepared by Person properly then the verifier has 4 confidence that the data was not modified after being signed and that the owner of the NIST public key was the signer DTransmitted and a secure hash for use by the federal government in 1 19 2 4 80 Secure to Person B 4 FTPS 186 Digital Signature Standard and FTPS Signature Person A's private key has published standards for a digital signature A f Person A's public key Hash Standard VtrtflcattoH U User Authentication Message Verified Read by Person B Cryptography can increase security user authentication techniques discussed is in Chapter 16 in As Person B knows that only Person A could have sent the message cryptography the basis for several advanced authentication methods Instead of communicating passwords over an open network authentication can be performed by demonstrating knowledge of a cryptographic key Using these methods a one-time password which is not susceptible to eavesdropping can be used User authentication can use either secret or public key cryptography 19 3 Implementation Issues This section explores several important issues that should be considered when using e g designing implementing integrating cryptography in a computer system 19 3 1 Selecting Design NIST and and Implementation Standards other organizations have developed numerous standards for designing implementing and using cryptography and for integrating into it automated systems By using these wmm mmm mm mmm--mm--mmmmm mmm standards organizations can reduce costs and Applicable security standards provide a protect their investments in technology level of security Standards provide solutions that have been accepted by a wide community and that have been reviewed by experts common and interoperability among users i TM in relevant areas Standards help ensure interoperability among different vendors' equipment thus allowing an 230 19 organization to select from among Cryptography various products in order to find cost-effective equipment Managers and users of computer systems will have to select among various standards when deciding to use cryptography Their selection should be based on cost-effectiveness analysis trends in the standard's acceptance and interoperability requirements In addition each standard should be carefully analyzed to determine application if it is applicable to the organization and the desired For example the Data Encryption Standard and the Escrowed Encryption Standard are both applicable to certain applications involving communications of data over commercial modems Some 19 3 2 Deciding The trade-offs mandatory federal standards are FIPS 46-2 and the DSS on Hardware among for federal computer systems including DES FIPS 181 vs Software Implementations security cost simplicity efficiency and ease of implementation need to be studied by managers acquiring various security products meeting a standard Cryptography can be implemented in either In general software hardware may be is hardware or software Each has less its related costs and benefits expensive and slower than hardware although for large applications less expensive may be less secure since it is more easily hardware products Tamper resistance is usually considered In addition software modified or bypassed than equivalent better in hardware In many cases cryptography protected processor but is is implemented ensure that the hardware device is in hardware device e g electronic chip provided with correct information not bypassed Thus a hybrid solution implemented in a ROM- controlled by software This software requires integrity protection to is generally provided even hardware Effective security requires the correct i e controls data and is when the basic cryptography is management of the entire hybrid solution 19 3 3 Managing Keys The proper management of cryptographic keys security is essential to the effective use of cryptography for Ultimately the security of information protected by cryptography directly depends upon the protection afforded to keys All keys need to be protected against modification protection against unauthorized disclosure and secret keys and private keys need Key management involves the procedures and protocols both manual and automated used throughout the entire life cycle of the keys This includes the generation distribution storage entry use destruction and archiving of cryptographic keys With secret key cryptography the secret key s should be securely distributed 231 i e safeguarded IV Technical Controls against unauthorized replacement modification and disclosure to the parties wishing to communicate Depending upon the number and location of users Automated techniques for generating this task may not be trivial and distributing cryptographic keys can ease overhead costs of key management but some resources have to be devoted to Management Using ANSI X9 17 provides key management this task FTPS 171 Key solutions for a variety of operational environments Public key cryptography users also have to satisfy certain key example since a private-public key pair user it is In a small is associated with management requirements For i e generated or held by a specific necessary to bind the public part of the key pair to the user community of users exchanging public keys electronic business on a e g 139 public keys and their owners can be strongly putting CD-ROM them on a bound by simply or other media However conducting larger scale potentially involving geographically and organizationally means for obtaining public keys electronically with a high degree and binding to individuals The support for the binding between a distributed users necessitates a of confidence key and its in their integrity owner is generally referred to as a public key infrastructure Users also need to be able enter the community of key holders generate keys or have them generated on their behalf disseminate public keys revoke keys compromise of the private key and change keys In addition in case for it may be example of necessary to build in time date stamping and to archive keys for verification of old signatures 19 3 4 Security of Cryptographic Cryptography is typically Modules implemented in a module of software firmware hardware or some combination thereof This module FTPS 140-1 Security Requirements for contains the cryptographic algorithm s logical security requirements for cryptographic Cryptographic Modules specifies the physical and modules The standard defines four security levels for certain control parameters and temporary storage facilities for the algorithm s the key s being used cryptographic modules with each level providing a by significant increase in security over the preceding The proper functioning of level The four levels allow for cost-effective the cryptography requires the secure design solutions that are appropriate for different degrees of implementation and use of the cryptographic data sensitivity and different application environments module This includes protecting the module for against tampering 139 In some cases the key The user can select the best module any given application or system avoiding the cost of unnecessary security features may be bound to a position or an organization rather than to an individual user 232 19 19 3 5 Cryptography Applying Cryptography to Networks The use of cryptography within networking applications often requires special considerations In module may depend on its capability for attached communications equipment or by the these applications the suitability of a cryptographic handling special requirements imposed by locally network protocols and software MACs Encrypted information or digital signatures may require transparent communications protocols or equipment to avoid being misinterpreted by the communications equipment or software as control information It or digital signature to ensure that It is it may be necessary to format the encrypted information essential that cryptography satisfy the requirements equipment and does not Data is interfere with the proper and imposed by the communications efficient operation of the network encrypted on a network using either link or end-to-end encryption In general link encryption is performed by service providers such as a data communications provider Link encryption encrypts circuit or Tl line all of the data along a communications path e g a satellite link telephone Since link encryption also encrypts routing data communications nodes need to decrypt the data to continue routing End-to-end encryption is generally performed by the end- user organization Although data remains encrypted when being passed through routing information remains visible combine both types of encryption 19 3 6 MAC does not confuse the communications equipment or software It is possible to a network Complying with Export Rules The U S Government controls the export of cryptographic implementations The rules governing export can be quite complex since they consider multiple factors In addition cryptography rapidly changing field and rules may change from is a time to time Questions concerning the export of a particular implementation should be addressed to appropriate legal counsel 19 4 Interdependences There are many interdependences among cryptography and other security controls highlighted this handbook Cryptography both depends on other security safeguards and in assists in providing them Physical Security Physical protection of a cryptographic module least detect - is required to prevent - or at physical replacement or modification of the cryptographic system and the keys it In many environments e g open offices portable computers the cryptographic module itself has to provide the desired levels of physical security In other environments e g closed communications facilities steel-encased Cash-Issuing Terminals a cryptographic module may be safely employed within a secured facility within 233 IV Technical Controls User Authentication Cryptography can be used both computer systems and to protect passwords that are to protect passwords that are stored communicated between computers Furthermore cryptographic-based authentication techniques in place of may be used conjunction with or password-based techniques to provide stronger authentication of users Logical Access Control In many cases cryptographic software system and in in it may may be embedded within a host not be feasible to provide extensive physical protection to the host system In these cases logical access control may from other parts of the host system and provide a means of isolating the cryptographic software for protecting the cryptographic software from tampering and the keys from replacement or disclosure The use of such controls should provide the equivalent of physical protection Audit Trails Cryptography may play a useful role in audit For example audit records may trails need to be signed Cryptography may also be needed to protect audit records stored on computer systems from disclosure or modification Audit are also used to help support electronic trails signatures Assurance Assurance that a cryptographic module essential to the effective use of cryptography its is NIST properly and securely implemented is maintains validation programs for several of standards for cryptography Vendors can have their products validated for conformance to the standard through a rigorous set of tests Such testing provides increased assurance that a module meets stated standards and system NIST maintains designers integrators and users can have validation programs for several of its cryptographic standards greater confidence that validated products conform to accepted standards A cryptographic its system should be monitored and periodically audited to ensure that security objectives system should be reviewed and operation of the system results audited it is satisfying All parameters associated with correct operation of the cryptographic itself should be periodically tested and the Certain information such as secret keys or private keys in public key systems should not be subject to audit However nonsecret or nonprivate keys could be used in a simulated audit procedure 19 5 Cost Considerations Using cryptography to protect information has both direct and indirect costs Cost in part by product availability a wide variety of products exist for integrated circuits add-on boards or adapters and stand-alone units 234 is determined implementing cryptography in 19 Cryptography 19 5 1 Direct Costs The direct costs of cryptography include o Acquiring or implementing the cryptographic module and integrating system The medium i e it into the computer hardware software firmware or combination and various other issues such as level of security logical and physical configuration and special processing requirements will have an impact on cost o Managing managing the cryptographic keys which the cryptography and in particular includes key generation distribution archiving and disposition as well as security measures to protect the keys as appropriate 19 5 2 Indirect Costs The indirect costs o of cryptography include A decrease in system or network performance applying cryptographic protection to o Changes in the way from the additional overhead of stored or communicated data users interact with the system resulting from enforcement However cryptography can be the impact is resulting made more stringent security nearly transparent to the users so that minimal References Alexander M ed Protecting Data With Secret Codes Infosecurity News 4 6 1993 pp 72-78 American Bankers Association American National Standard for Financial Management Wholesale ANSI X9 17-1985 Washington DC 1985 Denning P Key and D Denning The Clipper and Capstone Encryption Systems American Scientist 81 4 1993 pp Diffie Institution 319-323 W and M Hellman New Directions Information Theory Vol IT-22 No 6 in Cryptography November IEEE Transactions on 1976 pp 644-654 Duncan R Encryption ABCs Infosecurity News 5 2 1994 pp 36-41 International Organization for Standardization Information Processing Systems 235 - Open Systems IV Technical Controls Interconnection Reference Meyer C H and New York S Model - ISO Part 2 Security Architecture M Matyas Cryptography A New Dimension NY John Wiley Sons in 7498 2 1988 Computer Data Security 1982 Nechvatal James Public-Key Cryptography Special Publication 800-2 Gaithersburg MD National Institute of Standards and Technology April 1991 National Bureau of Standards Computer Data Authentication Federal Information Processing Standard Publication 113 May 30 1985 National Institute of Standards and Technology Advanced Authentication Technology Computer Systems Laboratory Bulletin November 1991 National Institute of Standards and Technology Data Encryption Standard Federal Information Processing Standard Publication 46-2 December 30 1993 National Institute of Standards and Technology Digital Signature Standard Computer Systems Laboratory Bulletin January 1993 National Institute of Standards and Technology Digital Signature Standard Federal Information Processing Standard Publication 186 May 1994 National Institute of Standards and Technology Escrowed Encryption Standard Federal Information Processing Standard Publication 185 1994 National Institute of Standards and Technology Key Management Using ANSI X9 17 Federal Information Processing Standard Publication 171 April 27 1992 National Institute of Standards and Technology Secure Processing Standard Publication 180 May Hash Standard Federal Information 11 1993 National Institute of Standards and Technology Security Requirements for Cryptographic Modules Federal Information Processing Standard Publication 140-1 January Rivest R A Shamir and L Adleman A Method for Obtaining Digital Signatures and Public-Key Crypto systems Communications of the ACM Vol 21 No Saltman Roy G ed 11 1994 Good Security Practices for Electronic Commerce Data interchange Special Publication 800-9 Gaithersburg and Technology December 1993 236 MD 2 1978 pp 120-126 Including Electronic National Institute of Standards 19 Schneier B A Taxonomy of Encryption Algorithms Computer Cryptography Security Journal 9 1 1 193 pp 39-60 Schneier B Four Crypto Standards Infosecurity News 4 2 1993 pp 38-39 Schneier B Applied Cryptography Protocols Algorithms NY John Wiley and Source Code in C New York Sons Inc 1994 U S Congress Office of Technology Assessment Security Safeguards and Practices Defending Secrets Sharing Data DC 1987 New Locks and Keys for Electronic Information pp 54-72 237 Washington V EXAMPLE 239 Chapter 20 ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM This chapter illustrates how a hypothetical government agency 140 HGA deals with computer HGA's initiation of an assessment of the threats to its computer security system all the way through to HGA's recommendations for mitigating those risks In the real world many solutions exist for computer security issues in operating environment its No security problems It single solution can solve similar security Likewise the solutions presented in this example This case study provided for is follows the evolution of may problems in all not be appropriate for all environments environments illustrative purposes only and should not be construed as This example can be used to help understand guidance or specific recommendations to security issues are examined solving specific security issues Because a solutions are analyzed w comprehensive example r attempting v to illustrate all handbook topics would be responsibility for risks inordinately long this example necessarily simplifies the issues presented details and omits many For instance to highlight the processing environments it how their cost and benefits are how management accepts weighed and ultimately ' o i how how some potential similarities and differences among controls in the different addresses some of the major types of processing platforms linked together in a distributed system personal computers local-area networks wide-area networks and mainframes it does not show how to secure these platforms This section also highlights the importance of management's acceptance of a particular level of risk -- this will to decide what of course vary from organization to organization level of risk is It is management's prerogative appropriate given operating and budget environments and other applicable factors 20 1 Initiating the Risk Assessment HGA has information systems that comprise and are intertwined with several different kinds of assets valuable enough to merit protection HGA's systems play a key role in transferring U S Government funds to individuals in the form of paychecks hence financial resources are among the assets associated with HGA's systems The system components owned and operated by HGA 140 While this chapter draws upon Although the chapter is many actual systems details and characteristics were changed and merged arranged around an agency the case study could also apply to a large division or office within an agency 241 V Example are also assets as are personnel information contracting and procurement documents draft regulations internal correspondence and a variety of other day-to-day business documents memos and reports HGA's assets include intangible elements as well such as reputation of the agency and the confidence of its employees that the wages will be handled properly and that personal information will be paid on time change in the directorship of HGA has brought in a new management team Among new Chief Information Officer's first actions was appointing a Computer Security Program Manager who immediately initiated a comprehensive risk analysis to assess the soundness of HGA's computer security program in protecting the agency's assets and its compliance with A recent federal directives the This analysis drew upon prior risk assessments threat studies and applicable The Computer Security Program Manager internal control reports also established a timetable for periodic reassessments Since the wide-area network and mainframe used by HGA are owned and operated by other organizations they were not treated in the risk assessment as personnel buildings and facilities are essential assets the HGA's assets And although HGA's Computer Security Program Manager considered them to be outside the scope of the risk analysis HGA's computer system the risk assessment team identified specific threats to HGA's assets reviewed HGA's and national safeguards against those threats identified the vulnerabilities of those policies and recommended specific actions for mitigating the remaining risks to HGA's computer security The following sections provide highlights from the risk assessment The assessment addressed many other issues at the programmatic and system levels After examining However this chapter focuses on security issues related to the time and attendance application Other issues are discussed 20 2 in Chapter 6 HGA's Computer System HGA relies on the distributed computer systems and networks shown in Figure 20 some of which owned and operated by other consist of a collection of components to HGA but others are components their role in the overall distributed are systems in their own 1 right They Some belong organizations This section describes these system architecture and how they are used by HGA 20 2 1 System Architecture Most of HGA's staff a mix of clerical computers PCs located The PCs technical in their offices are connected to a local area Each and managerial PC network LAN so 242 staff are provided with personal includes hard-disk and floppy-disk drives that users can exchange and share o i so -i i i t i i i i i t i t i i i g t i t i i o i o i i i i i i i i i t V Example component of the LAN is a LAN server a more powerful computer that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information including shared application programs The server provides logical access controls on potentially sharable information via elementary access control lists These access controls can be used to limit user access to various files and programs stored on the server Some programs stored on the server can be retrieved via the LAN and executed on a PC others can only be executed on the server information To initiate The a session on the network or execute programs into the server files to PC and provide a user identifier on the server users at a PC must log and password known to the server Then they may use which they have access One of the all central applications supported users by the server is electronic mail e-mail which can be used by Other programs that run on the server can only be executed by a limited set of PC users Several printers distributed throughout PCs may Users at Since HGA must direct printouts to HGA's building complex are connected to the whichever printer is most convenient communicate with industry the LAN The router is a network interface device frequently the Internet via a router protocols and addresses associated with the LAN and the Internet LAN for their use also provides a connection to that translates The between the router also performs network packet filtering a form of network access control and has recently been configured to disallow non-e-mail e g The LAN server also o file transfer remote log-in between LAN and Internet computers has connections to several other devices A modem pool is provided so that HGA's employees on travel can dial up via the public switched telephone network and read or send e-mail session a user must successfully log provides access only to e-mail o A special console is provided server establish facilities for administrative A connection to initiate During dial-up sessions the a dial-up LAN server no other functions can be invoked for the server administrators who configure the and delete user accounts and have other special privileges needed and maintenance functions These functions can only be invoked from the administrator console that network or from a dial-up session o in To is they cannot be invoked from a a government agency X 25-based wide-area network PC on the WAN is provided so that information can be transferred to or from other agency systems One of the other hosts on the mainframe is WAN is a large multiagency mainframe system This used to collect and process information from a large number of 244 20 Assessing and Mitigating the Risks to a Hypothetical Computer System agencies while providing a range of access controls 20 2 2 System Operational Authority Ownership The system components contained within the large dashed rectangle shown in Figure 20 1 are managed and operated by an organization within HGA known as the Computer Operations Group COG This group includes the PCs LAN server console printers modem pool and router The WAN is owned and operated by a large commercial telecommunications company that provides WAN services under a government contract The mainframe is owned and operated by a federal agency that acts as a service provider for 20 2 3 HGA and other agencies connected to the WAN System Applications PCs on HGA's LAN are used for word processing applications including spreadsheet data manipulation and other and project management tools Many concerned with data that are sensitive with respect to confidentiality or documents and data The mainframe also need to be available also provides storage individual agencies and in a timely common of these tasks are integrity Some of these manner retrieval services for other databases belonging to For example several agencies including HGA store their personnel databases on the mainframe these databases contain dates of service leave balances salary and W-2 information and so forth In addition to their time and attendance application manipulate other kinds of information that integrity including personnel-related 20 3 Threats to may be HGA's PCs and used to correspondence and draft contracting documents HGA's Assets HGA are subject to different kinds of threats likely than others and the potential impact of different threats is LAN server are sensitive with respect to confidentiality or Different assets of threats the generally difficult to estimate accurately Both Some threats are considered less may vary greatly The likelihood of HGA and the risk assessment's authors have attempted to the extent possible to base these estimates on historical data but have also to anticipate new 20 3 1 Payroll As for trends stimulated by emerging technologies e g external networks Fraud most large organizations that control financial assets attempts at fraud are likely to occur Historically attempts at payroll fraud have almost always HGA or the other agencies that operate systems on which HGA depends thwarted tried and embezzlement come from Although within HGA has many of these attempts and some have involved relatively small sums of money 245 it V Example considers preventing financial fraud to be a critical computer security priority particularly of the potential financial losses and the risks of damage to public its in light reputation with Congress the and other federal agencies Attempts to defraud o HGA have included the following Submitting fraudulent time sheets for hours or days not worked or for pay periods following termination or transfer of employment The former may take the form of overreporting compensatory or overtime hours worked or underreporting vacation or sick leave taken Alternatively attempts have been made to modify time sheet data after being entered and approved for submission to payroll o Falsifying or modifying dates or data on which computations are based thereby becoming one's years of service eligible for retirement earlier than allowed or increasing one's pension amount o Creating employee records and time sheets for fictitious personnel and attempting to obtain their paychecks particularly after arranging for direct deposit 20 3 2 Payroll Errors Of greater likelihood but of perhaps lesser potential impact on HGA time and attendance data failure to enter information describing and transfers in a timely are errors in the entry of new employees terminations manner accidental corruption or loss of time and attendance data or errors in interagency coordination and processing of personnel transfers Errors of these kinds can cause financial difficulties for employees and accounting problems for HGA last If an employee's vacation or sick leave balance became negative erroneously during the pay period of the year the employee's individual who transfers between last paycheck would be automatically reduced paychecks or no paychecks for the pay periods immediately following the sort that An HGA and another agency may risk receiving duplicate occur near the end of the year can lead to errors in W-2 transfer Errors of this forms and subsequent difficulties with the tax collection agencies 20 3 3 Interruption of Operations HGA's building facilities and physical plant are several decades old and are frequently under repair or renovation As a result power air conditioning and LAN or WAN connectivity for the server are typically interrupted several times a year for periods of up to one work day For example on several occasions construction workers have inadvertently severed Fires floods storms power or network cables and other natural disasters can also interrupt computer operations as can equipment malfunctions 246 and Mitigating 20 Assessing Another threat of small likelihood but Computer System the Risks to a Hypothetical significant potential impact is that of a malicious or disgruntled employee or outsider seeking to disrupt time-critical processing e g payroll by computer deleting necessary inputs or system accounts misconfiguring access controls planting viruses or stealing or sabotaging computers or related equipment Such interruptions depending upon when they occur can prevent time and attendance data from getting processed and transferred to the mainframe before the payroll processing deadline 20 3 4 Disclosure or Brokerage of Information Other kinds of threats may be stimulated by the growing market for information about an organization's employees or internal activities Individuals reasons for access to the master employee database other employees or contractors or to press or other organizations sell it may who have legitimate work-related attempt to disclose such information to to private investigators employment recruiters the HGA considers such threats to be moderately likely and of low to high potential impact depending on the type of information involved 20 3 5 Network-Related Threats Most of the human HGA originate from insiders threats of concern to recognizes the need to protect its assets from outsiders Nevertheless HGA also Such attacks may serve many different purposes and pose a broad spectrum of risks including unauthorized disclosure or modification of information unauthorized use of services and assets or unauthorized denial of services As shown in Figure 20 1 HGA's systems Internet 2 the Interagency WAN and are connected to the three external networks 1 the 3 the public-switched telephone network these networks are a source of security risks connectivity with them is essential to Although HGA's mission and to the productivity of its employees connectivity cannot be terminated simply because of security risks In each of the past few years before establishing its detected several attempts by outsiders to penetrate come from the Internet and those that current set of network safeguards its systems Most but not all HGA had of these have succeeded did so by learning or guessing user account passwords In two cases the attacker deleted or corrupted significant amounts of data most of which were attack but conceded activities later restored from backup In most cases files HGA could detect no effects of the files HGA also ill concluded that the attacker may have browsed through some that its systems did not have audit logging capabilities sufficient to track an attacker's Hence for most of these attacks HGA could not accurately gauge the extent of penetration In one case an attacker made use of a bug Administrator privileges on the server -- in an e-mail utility a significant breach and succeeded HGA attacker attempted to exploit these privileges before being discovered 247 in acquiring System found no evidence that the two days later When the V Example attack was told that a detected bug fix embarrassment COG immediately contacted the It Although HGA has no evidence that it itself confidence of the citizens 20 3 6 had already received the it fix which its It earlier To its then promptly it has been significantly harmed to date by attacks via lucky that such attacks have not harmed serves Team and was same nature have succeeded believes that these attacks have great potential to management considers networks it believes that no subsequent attacks of the installed external networks Incident Handling had been distributed by the server vendor several months COG discovered that now HGA's damage HGA's inflict HGA's reputation and the also believes the likelihood of such attacks via external will increase in the future Other Threats HGA's systems also are exposed to several other threats that for reasons of space cannot be fully enumerated here Examples of threats and HGA's assessment of their probabilities and impacts include those listed in Table 20 20 4 1 Current Security Measures HGA has numerous policies and procedures for protecting These are articulated in its assets against the above HGA's Computer Security Manual which implements and threats synthesizes the many federal directives such as Appendix III to OMB Circular A- 130 the Computer Security Act of 1987 and the Privacy Act The manual also includes policies for automated financial systems such as those based on OMB Circulars A- 123 and A- 127 as well requirements of as the Federal Managers' Financial Integrity Act Several examples of those policies follow as they apply generally to the use and administration of HGA's computer system and specifically to security issues related to time and attendance payroll and continuity of operations 20 4 1 General Use and Administration of HGA's Computer System HGA's Computer Operations Group COG is responsible for controlling administering and maintaining the computer resources owned and operated by HGA These functions are depicted Figure 20 1 enclosed in the large dashed rectangle Only individuals holding the job title System Administrator are authorized to establish log-in IDs and passwords on multiuser HGA systems e g the LAN server Only HGA's employees and contract personnel may use the in system and only after receiving written authorization from the department supervisor or in the case of contractors the contracting officer to COG issues copies of all relevant whom these individuals report security policies and procedures to 248 new users Before activating 20 Assessing a system account for a training course or and Mitigating new users the Risks to a Hypothetical COG requires that they 1 Computer System attend a security awareness and complete an interactive computer-aided-instruction training session and 2 sign an acknowledgment form indicating that they understand their security responsibilities Authorized users are assigned a secret log-in ID and password which they must not share with anyone else procedures They are expected to e g periodically comply with all of HGA's password selection and security changing passwords Users who fail to do so are subject to a range of penalties Examples of Threats to HGA Systems Potential Threat Probability Impact Accidental Loss Release of Medium Low Medium High Medium Medium Medium Low Low High Medium Medium Medium Low High Disclosure-Sensitive Information Accidental Destruction of Information Loss of Information due to Virus Contamination Misuse of System Resources Theft Unauthorized Access to Telecommunications Resources Natural Disaster ' HGA operates a PBX system which may be vulnerable to 1 hacker disruptions of PBX availability and consequently agency operations 2 unauthorized access to outgoing phone lines for long-distance services 3 unauthorized access to stored voice-mail messages and 4 surreptitious access to otherwise private conversations data transmissions ill--11MII-- IIIIIH HlillllllMIIIIIHMimHIMMIllllH IIHWMWHIIIIMIIH Ifclll-- H Hill li IWIillllllillH --HI-- II HIP III nil Table 20 1 Users creating data that are sensitive with respect to disclosure or modification are expected to make effective use of the automated access control mechanisms available on HGA computers to reduce the risk of exposure to unauthorized individuals Appropriate training and education are in place to help users do this In general access to disclosure-sensitive information granted only to individuals whose jobs require it 249 is to be V Example 20 4 2 Protection Against Payroll The time and attendance errors Fraud and Errors Time and Attendance Application application plays a major role in protecting against payroll fraud and Since the time and attendance application process many of its is a component of a larger functional and security requirements have been derived governmentwide and HGA-specific policies related to payroll automated payroll from both and leave For example HGA must protect personal information in accordance with the Privacy Act Depending on the specific type of information it should normally be viewable only by the individual concerned the individual's supervisors and personnel and payroll department employees Such information should also be timely and accurate Each week employees must sign and submit a time sheet that identifies the number of hours they have worked and the amount of leave they have taken The Time and Attendance Clerk enters the data for a given group of employees and runs an application on the LAN server to verify the data's validity and to ensure that only authorized users with access to the Time and Attendance Clerk's functions can enter time and attendance data The application performs these security checks by using the LAN server's access control and identification and authentication I A mechanisms The application compares the data with a limited database of employee information to detect incorrect employee identifiers implausible numbers of hours worked and so forth After correcting any detected errors the clerk runs another application that formats the time and attendance data into a report flagging exception out-of-bound conditions e g negative leave balances Department supervisors are responsible for reviewing the correctness of the time sheets of the employees under their supervision and indicating their approval by they detect significant irregularities and indications of fraud in initialing the time sheets If such data they must report their findings to the Payroll Office before submitting the time sheets for processing In keeping with the principle of separation of duty all data on time sheets and corrections on the sheets that affect pay leave retirement or other benefits least two authorized may of an individual must be reviewed for validity by at individuals other than the affected individual Protection Against Unauthorized Execution Only users with access to Time and Attendance Supervisor functions may approve and submit time and attendance data to the mainframe Supervisors or subsequent corrections thereof may not approve their own time and attendance data -- -- Only the System Administrator has been granted access to assign a special access control privilege to server programs As a result the server's operating system is designed to prevent a bogus time and attendance application created by any other user from communicating with the hence with the mainframe 250 WAN and 20 Assessing The time and attendance and Mitigating application is the Risks to a Hypothetical Computer System supposed to be configured so that the clerk and supervisor PCs attached to the LAN and only during normal working hours Administrators are not authorized to exercise functions of the time and attendance application apart from those concerned with configuring the accounts passwords and functions can only be carried out from specific access permissions for clerks and supervisors Administrators are expressly prohibited by policy from entering modifying or submitting time and attendance data application or other mechanisms via the time and attendance 141 Protection against unauthorized execution of the time and attendance application depends on and access controls While the time and attendance application most programs run by PC users executes on the server while the it is accessible does not execute directly on the PC's processor Instead PC behaves I A from any PC unlike it as a terminal relaying the user's keystrokes to the from the server The reason for this approach is that common PC systems do not provide I A and access controls and therefore cannot protect against unauthorized time and attendance program execution Any individual who has access to the PC could run any program stored there server and displaying text and graphics sent Another possible approach control on own by its is and attendance program to perform for the time I A and access requesting and validating a password before beginning each time and attendance session This approach however can be defeated easily by a moderately skilled programming attack and was judged inadequate by HGA during the application's early design phase Recall that the server that includes is a more powerful computer equipped with a multiuser operating system password-based I A and access controls Designing the time and attendance program so that it executes on the server under the control of the server's operating system provides a more effective safeguard against unauthorized execution than executing it on application the user's PC Protection Against Payroll Errors The frequency of data entry errors is reduced by having Time and Attendance clerks enter each time sheet into the time and attendance application twice If the two copies are identical both are considered error free and the record is accepted for subsequent review and approval by a supervisor If the copies are not identical the discrepancies are displayed and for each discrepancy the clerk determines which copy corrections into one of the copies which 141 Technically Systems Administrators may is still is correct The clerk then incorporates the then accepted for further processing If the clerk have the ability to managerial reviews auditing and personnel background checks 251 do so This highlights the importance of adequate V Example makes the same data-entry error twice then as correct even though To erroneous it is the two copies reduce will match and one will be accepted this risk the time and attendance application could be configured to require that the two copies be entered by different clerks more Time and Attendance Supervisors who are authorized to review these reports for accuracy and to approve them by running another server program that is part of the time and attendance application The data are then subjected to a collection of sanity checks to detect entries whose values are outside expected ranges Potential In addition each department has one or anomalies are displayed to the supervisor prior to allowing approval if errors are identified the data are returned to a clerk for additional examination and corrections When a supervisor approves the time and attendance data this application logs into the WAN and transfers the data to a payroll database on the interagency mainframe via the mainframe The mainframe over phone lines it may later prints paychecks or using a pool of modems that transfer the funds electronically into employee-designated Withheld taxes and contributions are also transferred electronically The Director of Personnel is in this bank accounts manner responsible for ensuring that forms describing significant payroll-related personnel actions are provided to the Payroll Office at least one payroll processing date for the first Payroll Office week before the affected pay period These actions include hiring terminations transfers leaves of absences and returns The Manager of the can send data is from such and pay raises responsible for establishing and maintaining controls adequate to ensure that the amounts of pay leave and other benefits reported on pay stubs and recorded permanent records and those distributed electronically are accurate and consistent in with time and attendance data and with other information provided by the Personnel Department must never be provided to anyone who is not a bona fide active-status Moreover the pay of any employee who terminates employment who In particular paychecks employee of HGA transfers or action that who goes on is leave without pay must be suspended as of the effective date of such extra paychecks or excess pay must not be dispersed Protection Against Accidental Corruption or Loss of Payroll Data The same mechanisms used to protect against fraudulent modification are used to protect against accidental corruption of time and attendance data -- namely the access-control features of the server and mainframe operating systems COG's nightly backups of the server's disks protect against loss of time and attendance data To a HGA also relies on mainframe administrative personnel to back up time and attendance data stored on the mainframe even though HGA has no direct control over these individuals As additional protection against loss of data at the mainframe HGA retains copies of limited extent all time and attendance data on line on the server for 252 at least one year at which time the data are 20 Assessing and Mitigating archived and kept for three years The the Risks to a Hypothetical Computer System server's access controls for the on-line files are automatically set to read-only access by the time and attendance application at the time of submission to the mainframe The integrity of time and attendance data will be protected by digital signatures as they are implemented The WAN's communications protocols also protect against loss of data during transmission from the server to the mainframe e g error checking In addition the mainframe payroll application includes a program that is automatically run 24 hours before paychecks and pay stubs are printed This program produces a report identifying agencies from whom time and attendance data for the current pay period were expected but not received Payroll department staff are responsible for reviewing the reports and immediately notifying agencies that need to submit or resubmit time and attendance data If time and attendance input or other related information timely basis pay leave is not available on a and other benefits are temporarily calculated based on information estimated from prior pay periods 20 4 3 Protection Against Interruption of Operations HGA's policies regarding continuity of operations are derived Circular A- 130 them HGA requires various organizations within it from requirements stated in OMB to develop contingency plans test annually and establish appropriate administrative and operational procedures for supporting them The plans must identify the facilities equipment supplies procedures and personnel needed to ensure reasonable continuity of operations under a broad range of adverse circumstances COG Contingency Planning COG is responsible for developing and maintaining a contingency plan that procedures and facilities to be used when physical plant equipment malfunctions occur router printers The plan sufficient to disrupt the if failures natural disasters normal use of HGA's PCs or major LAN server and other associated equipment prioritizes applications that rely suspended sets forth the available on these resources indicating those that should be automated functions or capacities are temporarily degraded COG personnel have identified system software and hardware components that are compatible with those used by two nearby agencies HGA has signed an agreement with those agencies whereby they have committed to reserving spare computational and storage capacities sufficient to support HGA's system-based No communication operations for a few days during an emergency devices or network interfaces written approval of the COG Manager The security-related software patches in a timely servers storage devices and LAN may be connected COG manner and HGA's systems without known for maintaining spare or redundant PCs interfaces to ensure that at least 253 to staff is responsible for installing all 100 people can simultaneously V Example perform word processing tasks To at all times protect against accidental corruption or loss of data COG personnel back up the LAN disks onto magnetic tape every night and transport the tapes weekly to a HGA's policies also stipulate that on significant data stored yearly them memorandum their PC PC users of this responsibility on the LAN COG also COG has issued a strongly encourages server instead of on their PC's hard disk so that such data will be backed up automatically during To sister users are responsible for backing up weekly any PC's local hard disks For the past several years reminding to store significant data all server's agency for storage LAN COG's server backups prevent more limited computer equipment malfunctions from interrupting routine business operations COG maintains an inventory of approximately ten fully equipped spare PC's a spare and several spare disk drives for the server COG also keeps thousands of feet of LAN LAN cable on server HGA's hand If a segment of the buildings fails or is LAN cable that runs through the ceilings and walls of COG technicians accidentally severed will run temporary LAN cabling along the floors of hallways and offices typically restoring service within a few hours for as long as To needed until the cable failure is located protect against approved by the PC virus contamination COG Manager to on the COG-approved and repaired list PC HGA authorizes only System Administrators install licensed copyrighted software packages that appear software applications are generally installed only on the server These stipulations are part of an HGA assurance strategy that relies on the quality of the engineering practices of vendors to provide software that Only the PC COG Manager is authorized to add packages is adequately robust and trustworthy to the approved list COG procedures also month System Administrators should run virus-detection and other security-configuration validation utilities on the server and on a spot-check basis on a number of PCs If they find a virus they must immediately notify the agency team that handles computer stipulate that every security incidents COG is also responsible for reviewing indicative of security violations The audit logs generated by the server identifying audit records and reporting such indications to the Incident-Handling Team COG Manager assigns these duties to specific members of the staff and ensures that they are implemented as intended The COG Manager is responsible for assessing adverse circumstances and for providing recommendations to HGA's Director Based on these and other sources of input the Director will determine whether the circumstances are dire enough to merit activating various sets of procedures called for in the contingency plan Division Contingency Planning HGA's divisions also must develop and maintain their 254 own contingency plans The plans must 20 Assessing and Mitigating identify critical business functions the and the maximum acceptable periods HGA's ability significant reduction in the Risks to a Hypothetical Computer System system resources and applications on which they depend of interruption that these functions can tolerate without to fulfill its for ensuring that the division's contingency plan For each major application used by multiple mission The head of each and associated support divisions a chief division is responsible adequate activities are of a single division must be designated as the application owner The designated official supported by his or her staff is responsible for addressing that application in the contingency plan and for coordinating with other divisions that use the application If a division relies exclusively not duplicate If COG's plan but is COG e g the LAN it need responsible for reviewing the adequacy of that plan plan does not adequately address the division's needs the division must communicate concerns to the its on computer resources maintained by COG's contingency COG Director applications to the provided by COG COG In either situation the division must is responsible for 1 developing ensuring that the contingency plans of other organizations e g its own the its the criticality of on computer resources or services If the division relies the division make known that are not contingency plan or 2 WAN service provider provide adequate protection against service disruptions 20 4 4 Protection Against Disclosure or Brokerage of Information HGA's protection against information disclosure is based on a need-to-know policy and on personnel hiring and screening practices The need-to-know policy states that time and attendance information should be made accessible only to assigned professional responsibilities require access from it other individuals including other all HGA employees and contractors whose Such information must be protected HGA employees against Appropriate hiring and screening practices can lessen the risk that an untrustworthy individual will be assigned such responsibilities The need-to-know policy is supported by a collection of physical procedural and automated safeguards including the following o Time and attendance paper documents are must be stored securely when not in use particularly during evenings and on weekends Approved storage containers include locked file cabinets and desk drawers to which only the owner has the -- keys While storage in a container is preferable it is also permissible to leave time and attendance documents on top of a desk or other exposed surface office with the realization that the judgment left guard force has keys to the in a office locked This is to local discretion Similar rules apply to disclosure-sensitive information stored on floppy disks and other removable magnetic media o Every HGA PC is equipped with a key lock 255 that when locked disables the PC a V Example When information was assigned is stored on a PC's local hard disk the user to is o The LAN PC expected to 1 lock the and 2 lock the office in which the PC is at whom that PC the conclusion of each work day located server operating system's access controls provide extensive features for controlling access to files These include group-oriented controls that allow teams of users to be assigned to named groups by the System Administrator Group members are then allowed access to sensitive files not accessible to nonmembers Each user can be assigned to several groups according to need to know The reliable functioning o All PC the LAN of these controls assumed perhaps incorrectly by HGA users undergo security awareness training server Among protecting passwords home is at night It when first provided accounts on other things the training stresses the necessity of also instructs users to log off the server before going or before leaving the PC unattended for periods exceeding an hour 20 4 5 Protection Against Network-Related Threats HGA's current set of external network safeguards has only been in place for a few months basic approach funneling is all traffic to and from external networks through two interfaces unauthorized kinds of interactions LAN network router and the and 1 e-mail The to tightly restrict the kinds of external network interactions that can occur by As indicated in Figure 20 1 the two The only kinds of interactions that server 2 data transfers that filter out interfaces are the these interfaces allow are from the server to the mainframe controlled by a few special applications e g the time and attendance application shows that the network router is the only direct interface between the LAN and the The router is a dedicated special-purpose computer that translates between the Figure 20 Internet 1 protocols and addresses associated with the those used on the WAN LAN specify that packets of information must carry an indicator of the kind of service information This of packets -- makes it that COG to discard associated with e-mail is coming from or going all remote log-in request 142 The from other kinds router has been packets coming from or going to the Internet except those COG personnel believe that the router effectively eliminates HGA user accounts because disallows all remote log-in sessions Internet-based attacks on it those accompanied by a legitimate password Although not discussed to the Internet being requested or used to process the possible for the router to distinguish e-mail packets for example those associated with a configured by and the Internet Internet protocols unlike in this example recognize that technical spoofing can occur 256 even 20 Assessing The and Mitigating the Risks to a Hypothetical Computer System LAN server enforces a similar type of restriction for dial-in access via the public-switched network The access controls provided by the server's operating system have been configured so that during dial-in sessions only the e-mail utility periodic checks prohibits installation of server In addition the server's access controls device accessible only to is programs System Administrator can assign can be executed modems on PCs HGA policy enforced by so that access must be through the have been configured so that its WAN interface that possess a special access-control privilege this privilege to server LAN Only the programs and only a handful of special-purpose applications like the time and attendance application have been assigned this privilege 20 4 6 Protection Against Risks from Non-HGA Computer Systems HGA relies on systems and components that cannot control directly because they are owned by other organizations HGA has developed a policy to avoid undue risk in such situations The policy states that system components controlled and operated by organizations other than HGA may not be used to process store or transmit HGA information without obtaining explicit permission from the application owner and the COG Manager Permission to use such system it components may not be granted without written commitment from the controlling organization that HGA's information will be safeguarded commensurate with its value as designated by HGA This policy is somewhat mitigated by the fact that HGA has developed an issue-specific policy on the use of the Internet which allows for its use for e-mail with outside organizations and access to other resources but not for transmission of 20 5 HGA's proprietary data Vulnerabilities Reported by the Risk Assessment Team many of the risks to which HGA is exposed stem from 1 comply with established policies and procedures or 2 the use of automated mechanisms whose assurance is questionable because of the ways they have been developed tested implemented used or maintained The team also identified specific vulnerabilities in HGA's policies and procedures for protecting against payroll fraud and errors The risk assessment team found that the failure of individuals to interruption of operations disclosure and brokering of confidential information and unauthorized access to data by outsiders 20 5 1 Vulnerabilities Related to Payroll Falsified Fraud Time Sheets The primary safeguards personnel who against falsified time sheets are review and approval by supervisory are not permitted to approve their assessment has concluded that own while imperfect these safeguards are requirement that a clerk and a supervisor must cooperate closely 257 The risk adequate The related time and attendance data in creating time and attendance V Example data and submitting the data to the mainframe also safeguards against other kinds of illicit manipulation of time and attendance data by clerks or supervisors acting independently Unauthorized Access When a PC user enters a password to the server during broadcasting any other PC passwords it over the LAN in the clear connected to the in this way LAN I A password is sent to the server This allows the password to be intercepted easily by are widely available Similarly a malicious server program planted on a PC could An unauthorized individual obtained the captured passwords could then run the time and attendance application clerk or supervisor by In fact so-called password sniffer programs that capture passwords before transmitting them to the also intercept the Users might also store passwords in a log-on script in who place of a file Bogus Time and Attendance Applications The server's access controls are probably adequate for protection against bogus time and attendance applications that run on the server However the server's operating system and access controls have only been in widespread use for a few years and contain a security-related bugs And the server's access controls are ineffective and the administration of the server's security features in the past has if number of not properly configured been notably lax Unauthorized Modification of Time and Attendance Data Protection against unauthorized modification of time and attendance data requires a variety of safeguards because each system component on which the data are stored or transmitted is a potential source of vulnerabilities First the may time and attendance data are entered on the server by a clerk begin data entry late temporary the data file on a diskette and lock another temporary the system reliable in the between the two file until afternoon and complete sessions it One way it On occasion the clerk the following morning storing to avoid unauthorized modification up overnight After being entered the data reviewed and approved by a supervisor These must be protected against tampering As before the will files is it be stored now in a to store in stored on server's access controls if and properly configured can provide such protection as can digital signatures as discussed later in conjunction with proper auditing Second when the Supervisor approves a batch of time and attendance data the time and attendance application sends the data over the WAN to the mainframe The WAN is a collection of communications equipment and special-purpose computers called switches that act as relays Each switch is a potential which the time and attendance data may be fraudulently modified For example an HGA routing information through the network from source to destination site at PC user might be able to intercept time and attendance data and modify the data enroute to the 258 20 Assessing payroll application attendance input on files and Mitigating the Risks to a Hypothetical Computer System the mainframe Opportunities include tampering with incomplete time and while stored on the server interception and tampering during WAN transit or tampering on arrival to the mainframe prior to processing by the payroll application Third on arrival at the mainframe mainframe the time and attendance data are held until the payroll application is run temporary in a Consequently the mainframe's I A and file on the access controls must provide a critical element of protection against unauthorized modification of the data According to the risk assessment the server's access controls with prior caveats probably provide acceptable protection against unauthorized modification of data stored on the server The assessment concluded that a WAN-based attack involving collusion between an employee of HGA and an employee of the WAN service provider although unlikely should not be dismissed HGA has only cursory information about the service provider's personnel entirely especially since security practices The and no contractual authority over greatest source of vulnerabilities however is how it operates the WAN the mainframe Although its operating system's it uses password-based I A This is of particular number of federal agencies via WAN connections A number of these agencies are known to have poor security programs As a result one such agency's systems could be penetrated e g from the Internet and then used in attacks on the mainframe via the WAN In fact time and attendance data awaiting processing on the mainframe would probably access controls are mature and powerful concern because it serves a large not be as attractive a target to an attacker as other kinds of data or indeed disabling the system rendering so that it it unavailable For example an attacker might be able to modify the employee data base disbursed paychecks or pensions checks to fictitious employees Disclosure-sensitive law enforcement databases might also be attractive targets The access good protection against intruders breaking into a second application after they have broken into a first However previous audits have shown that the difficulties of system administration may present some opportunities for control on the mainframe is strong and provides intruders to defeat access controls 20 5 2 Vulnerabilities Related to Payroll Errors HGA's management has established procedures for ensuring the timely submission and interagency coordination of paperwork associated with personnel status changes However an unacceptably large number of troublesome payroll errors during the past several years has been traced to the late submission of personnel paperwork adequacy of HGA's safeguards but criticized the The risk assessment documented the managers for not providing for compliance 259 sufficient incentives V Example 20 5 3 Vulnerabilities Related to Continuity of Operations COG The Contingency Planning risk commended assessment HGA for many aspects of COG's contingency plan but pointed many COG personnel were completely unaware of the responsibilities the plan assigned The assessment also noted that although HGA's policies require annual testing of contingency plans the capability to resume HGA's computer-processing activities at another cooperating agency has never been verified and may turn out to be illusory out that to them Division Contingency Planning The risk assessment reviewed a number of the application-oriented contingency plans developed by HGA's divisions including plans related to time and attendance Most of the plans were cursory and attempted to delegate nearly all contingency planning responsibility to assessment criticized several of these plans for lack of access to 1 failing to computer resources not managed by as buildings phones and other facilities time and attendance application was COG The address potential disruptions caused by COG and 2 nonsystem resources such In particular the contingency plan encompassing the criticized for not addressing disruptions caused by WAN and mainframe outages Virus Prevention The risk assessment that there was little found HGA's virus-prevention policy and procedures to be sound but noted evidence that they were being followed In particular no interviewed had ever run a virus scanner on a PC on COG personnel a routine basis though several had run them during publicized virus scares The assessment cited this as a significant risk item Accidental Corruption and Loss of Data The risk assessment concluded that HGA's safeguards against accidental corruption and loss of some other kinds of data were dozen randomly chosen PCs and PC users time and attendance data were adequate but that safeguards for in The assessment included an informal audit of a It concluded that many PC users store significant data on their PC's hard disks but do not back them up Based on anecdotes the assessment's authors stated that there appear to have been many past incidents of loss of information stored on PC hard disks and predicted that such losses would continue not the agency 20 5 4 Vulnerabilities Related to Information Disclosure Brokerage HGA takes a conservative approach toward protecting information about information brokerage is more likely to its employees Since be a threat to large collections of data 260 HGA risk 20 Assessing and Mitigating the Risks to a Hypothetical Computer System assessment focused primarily but not exclusively on protecting the mainframe The risk assessment concluded that significant avoidable information brokering vulnerabilities were present -- particularly due to HGA's lack of compliance with Time and attendance documents were its own policies typically not stored securely after hours Worse containing time and attendance information were routinely locked yet and procedures and few PCs few were routinely powered down and many were left logged into the LAN server overnight These practices make it easy for an HGA employee wandering the halls after hours to browse or copy time and attendance information on another employee's desk PC hard disk or LAN server directories The risk assessment pointed out that information sent to or retrieved from the server broadcasting it to from the server retrieved widespread availability is -- transmitted in the clear of LAN sniffer programs that is without encryption Given the LAN eavesdropping is trivial for a prospective is Last the assessment noted that HGA's employee master database it likely to occur is stored on the mainframe might be a target for information brokering by employees of the agency that owns the mainframe illicit subject to LAN The information broker and hence where is LAN hardware transmits information by all connection points on the LAN cable Moreover information sent to or eavesdropping by other PCs on the acts It might also be a target for information brokering fraudulent modification or other by any outsider who penetrates the mainframe via another host on the WAN 20 5 5 Network-Related Vulnerabilities The risk assessment concurred with the general approach taken by vulnerabilities It server's access controls and pointed out assessment noted that the e-mail file in as an HGA but identified several reiterated previous concerns about the lack of assurance associated with the utility that these play a critical role in HGA's approach The allows a user to include a copy of any otherwise accessible an outgoing mail message If an attacker dialed in to the server and succeeded in logging in HGA employee the attacker could use the mail utility to export copies of all the files accessible to that employee In fact copies could be mailed to any host The assessment also noted that the satellites as relay points on the Internet WAN service provider may rely on microwave stations or thereby exposing HGA's information to eavesdropping Similarly any information including passwords and mail messages transmitted during a dial-in session to eavesdropping 261 is subject V Example 20 6 Recommendations for Mitigating the Identified Vulnerabilities 143 The discussions in the following subsections were chosen to illustrate a broad sampling of handbook topics Risk management and security program management themes are integral throughout with particular emphasis given to the selection of risk-driven safeguards 20 6 1 Mitigating Payroll To remove Fraud Vulnerabilities the vulnerabilities related to payroll fraud the risk assessment the use of stronger authentication passwords that mechanisms based on smart tokens 144 team recommended to generate one-time cannot be used by an interloper for subsequent sessions Such mechanisms would make it very difficult for outsiders e g from the Internet who penetrate systems on the WAN to use them to attack the mainframe The authors noted however that the mainframe serves many different agencies and HGA has no authority over the way the mainframe is configured and operated Thus the costs and procedural difficulties of implementing such controls would be The assessment team substantial also recommended improving the server's administrative procedures and the speed with which security-related bug fixes distributed by the vendor are installed on the server After input from most of the from the risk COG security specialists and HGA's managers accepted assessment team's recommendations They decided that since the residual risks falsification necessary application owners of time sheets were acceptably low no changes However they judged the risks in procedures were of payroll fraud due to the interceptability of LAN server passwords to be unacceptably high and thus directed COG to investigate the costs and procedures associated with using one-time passwords for Time and Attendance Clerks and supervisor sessions on the server Other users performing less sensitive tasks on the LAN would continue to use password-based authentication While the immaturity of the COG was only able to this respect LAN identify was judged a significant source of risk product that would be significantly better in server's access controls one other Unfortunately this product PC LAN was considerably less friendly to users developers and incompatible with other applications used by changing PC LAN benefits Consequently Some negative impact of products was judged too high for the potential incremental gain product but directed 143 HGA The and application in security HGA decided to accept the risks accompanying use of the current COG to improve its monitoring of the server's access control configuration of the controls such as auditing and access controls play an important role in many areas The limited nature of this example however prevents a broader discussion 144 Note that for the sake of brevity the process of evaluating the cost-effectiveness of various security controls specifically discussed 262 is not 20 Assessing and and Mitigating the Risks to a Hypothetical Computer System responsiveness to vendor security reports and bug its fixes HGA concurred that risks of fraud due to unauthorized modification of time and attendance data at or in transit to the mainframe should not be accepted unless no practical solutions could be After discussions with the mainframe's owning agency identified owning agency was assessment COG unlikely to adopt the HGA concluded that the advanced authentication techniques advocated in the risk however proposed an alternative approach that did not require a major resource commitment on the part of the mainframe owner The approach would employ alternative digital signatures based on public key cryptographic techniques to detect unauthorized modification of time and attendance data digitally signed When by the supervisor using a private key prior program was run on the mainframe it would use the corresponding the correspondence between the time and attendance data and the signature the payroll application public key to validate Any The data would be to transmission to the mainframe modification of the data during transmission over the would the mainframe result in a mismatch between the signature and the application detected a mismatch and asked to review application HGA's sign would process WAN or while in temporary storage at it would reject the data and send the data again data If the payroll HGA personnel would then be notified If the data and signature matched the payroll the time and attendance data normally decision to use advanced authentication for time and attendance Clerks and Supervisors can be combined with digital signatures by using smart tokens Smart tokens are programmable devices so they can be loaded with private keys and instructions for without burdening the user When computing digital signatures supervisors approve a batch of time and attendance data the time and attendance application on the server would instruct the supervisor to insert their token in the token reader writer device attached to the supervisors' PC The would then send a the PC The token application special hash summary of the time and attendance data to the token via would generate a digital signature using its embedded secret key and then transfer the signature back to the server again via the PC The time and attendance application running on the server would append the signature to the data before sending the data to the mainframe and ultimately the payroll application Although this approach did not address the broader problems posed by the mainframe's vulnerabilities In addition the it it does provide a reliable I A means of detecting time and attendance data tampering from systems connected to protects against bogus time and attendance submissions WAN because individuals who lack a time and attendance supervisor's smart token will be unable to generate valid signatures Note however that the use of digital signatures does require increased administration particularly in the area of key management In signatures mitigate risks from a summary digital number of different kinds of threats HGA's management concluded that digitally signing time and attendance data was a practical cost-effective way of mitigating risks and directed COG to pursue its implementation They also 263 V Example noted that it would be applications This which no is useful as the agency moved to use of digital signatures in other an example of developing and providing a solution in an environment over single entity has overall authority 20 6 2 Mitigating Payroll Error Vulnerabilities HGA's management concluded After reviewing the risk assessment that the agency's current safeguards against payroll errors and against accidental corruption and loss of time and attendance data were adequate However the managers also concurred with the risk assessment's conclusions about the necessity for establishing incentives for complying and penalties for not complying with these safeguards They thus tasked the Director of Personnel to ensure greater compliance with paperwork-handling procedures and to provide quarterly compliance audit reports They noted that the digital signature HGA plans to use for fraud protection mechanism can also provide protection against payroll errors due to accidental corruption 20 6 3 Mitigating Vulnerabilities Related to the Continuity of Operations that COG institute a program of periodic internal training and COG personnel having contingency plan responsibilities The assessment The assessment recommended awareness sessions for urged that plan COG undertake a rehearsal during the next three months in which selected parts of the would be exercised processing activities at The one of the designated alternative additional contingency plan training first was needed for sites COG personnel and committed itself to its plan rehearsal within three months After a short investigation is because the few time-sensitive applications that required the mainframe could HGA divisions owning applications that depend on the WAN WAN outages although inconvenient would not have a major impact on HGA concluded that This some aspect of HGA's management agreed that rehearsal should include attempting to initiate still were operate alternative input originally designed to in that medium work with magnetic WAN-based communication tape instead of the WAN mode hence courier-delivered magnetic tapes could be used in case of a WAN outage The with and as an divisions responsible for contingency planning for these applications agreed to incorporate into their contingency plans both descriptions of these procedures and other improvements With respect to mainframe outages for a suitable alternative site own HGA determined that it could not easily make arrangements HGA also obtained and examined a copy of the mainframe facility's HGA contingency plan After detailed study including review by an outside consultant concluded that the plan had major deficiencies and posed significant risks because of HGA's on it for payroll and other services This was brought to the attention of the Director of who in a formal memorandum to the head of the mainframe's owning agency called for 1 reliance HGA a high-level interagency review of the plan by corrective action to remedy any all agencies that rely on the mainframe and 2 deficiencies found 264 20 Assessing and Mitigating HGA's management agreed the Risks to a Hypothetical improve adherence to to its Computer System virus-prevention procedures from the point of view of the entire agency that information stored on frequently lost --which HGA management does not consider than a person year reviewing options for reducing associated loss than to however to PC set PC estimated however that the labor hours lost as a result It commit HGA concluded that this risk it hard disks is would amount to be unacceptable would be cheaper significant resources in an attempt to avoid agreed It to less After to accept the COG volunteered it LAN server that e-mails backup reminders to COG agreed to provide regular backup services for up an automated program on the users once each quarter In addition about 5 percent of HGA's PCs these will be chosen by HGA's management based on all the information stored on their hard disks 20 6 4 Mitigating Threats of Information Disclosure Brokering HGA concurred with the risk assessment's conclusions about its exposure to information-brokering risks and adopted most of the associated recommendations The assessment recommended that mandatory refresher courses and HGA improve its security awareness training e g via that it institute some form of compliance should be sure to stress the penalties for noncompliance software on PCs that automatically lock a PC It The audits training also suggested installing screen lock after a specified period of idle time in which no keystrokes have been entered unlocking the screen requires that the user enter a password or reboot the system The assessment recommended that HGA modify its information-handling policies so that employees would be required to store some kinds of disclosure-sensitive information only on PC local hard disks or floppies but not on the server This would eliminate or reduce risks of LAN eavesdropping It was also recommended that an activity log be installed on the server and regularly reviewed Moreover it would avoid unnecessary reliance on the server's access-control features which are of uncertain assurance The assessment noted however that this strategy conflicts with the desire to store routinely by than the COG personnel PC owner to make most information on the server's disks so that it is This could be offset by assigning responsibility for backup copies Since the security habits of HGA's backed up someone other PC users have recommended use of hard-disk encryption utilities protect disclosure-sensitive information on unattended PCs from browsing by unauthorized individuals Also ways to encrypt information on the server's disks would be studied generally been poor the assessment also The assessment recommended that to HGA conduct a thorough review of the mainframe's safeguards in these respects and that it regularly review the mainframe audit log using a query package with particular attention to records that describe user accesses to master database 265 HGA's employee V Example 20 6 5 Mitigating Network-Related Threats The assessment recommended o require stronger mail I A that for dial-in access or alternatively that a restricted version of the be provided for utility HGA dial-in which would prevent a user from including files in outgoing mail messages o replace current its with such a o work with modem pool with encrypting modems dial-in user the mainframe agency to install a similar encryption capability for server-to-mainframe communications over the As with previous and provide each modem and risk assessment recommendations WAN HGA's management tasked COG to analyze the costs benefits and impacts of addressing the vulnerabilities identified in the risk assessment HGA eventually adopted some of the risk assessment's recommendations while declining others In addition HGA decided that its policy on handling time and attendance information needed to be clarified strengthened and elaborated with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping Thus HGA developed and issued a revised policy stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of prohibited them from examining or HGA's facilities via e-mail or other means It also transmitting e-mail containing such information during dial-in sessions and developed and promulgated penalties for noncompliance 20 7 Summary how many of the concepts described in previous chapters might agency An integrated example concerning a Hypothetical Government This chapter has illustrated applied in a federal Agency HGA has been discussed and used concepts HGA's as the basis for distributed system architecture and attendance application was considered in some its be examining a number of these uses were described The time and detail For context some national and agency-level policies were referenced Detailed operational policies policies and procedures for computer systems were discussed and related to these high-level HGA assets and threats were identified and a detailed survey of selected safeguards were presented The safeguards included a wide variety of procedural and automated techniques and were used to illustrate issues of assurance vulnerabilities and risk mitigation actions compliance security program oversight and inter-agency coordination As illustrated effective computer security requires 266 clear direction from upper management 20 Assessing and Mitigating the Risks Upper management must assign to a Hypothetical Computer System security responsibilities to organizational elements and individuals and must formulate or elaborate the security policies that become the foundation for the organization's security program organization's mission priorities They must operations also be based These must be based on an understanding of the and the assets and business operations necessary to fulfill them policies on a pragmatic assessment of the A critical element is assessment of threat threats against these assets likelihoods and These are most accurate when derived from historical data but must also anticipate trends stimulated by emerging technologies A good security program relies on an integrated cost-effective collection of physical and automated controls Cost-effectiveness requires targeting these controls pose the highest risks while accepting other residual risks The difficulty procedural at the threats that of applying controls properly and in a consistent manner over time has been the downfall of many security programs This chapter has provided numerous examples in which major security vulnerabilities arose from a lack of assurance or compliance Hence periodic compliance audits examinations of the effectiveness of controls and reassessments of threats are essential to the success of any organization's security program 267 Cross Reference and Index 269 Interdependencies Cross Reference The following is a cross reference of the interdependencies sections Note that the references only include specific controls Some controls were referenced in groups such as technical controls and occasionally interdependencies were noted for all controls Control Chapters Where Policy Program Management It Is Cited Life Cycle Personnel User Contingency Awareness and Training Logical Access Audit Program Management Policy Awareness and Training Risk Management Life Cycle Contingency Incident Life Cycle Program Management Assurance Assurance Life Cycle Support and Operations Audit Cryptography Personnel Training and Awareness Support and Operations Access Training and Awareness Personnel User Incident Support and Operations 270 Cross Reference and Index Contingency Incident Support and Operations Physical and Environmental Audit Contingency Incident Support and Operations Audit Physical and Environment Contingency Support and Operations Logical Access Cryptography Support and Operations Contingency Incident Identification and Authentication Personnel User Physical and Environmental Logical Access Audit Cryptography Access Controls Policy Personnel User Physical and Environmental Identification and Authentication Audit Cryptography Audit Identification and Authentication Logical Access Cryptography Cryptography Identification and Authentication 271 Cross Reference and Index General Index account management user 110-12 access control 182 189 access lists modes 199-201 203 196-7 200 acknowledgment statements 111 112 144 accountability 12 36 39 143 144 159 179 195 accreditation 6 66-7 75 80 81-2 89 90-2 94-5 reaccreditation 75 83 84 85 96 100 advanced authentication 181 204 230 advanced development 93 asset valuation 61 attack signature 219 220 18 51 73 75 81 82 96-9 audits auditing authentication host-based 195 211 219 205 authentication host-to-host 189 authentication servers 189 authorization to process 66 81 112 audit reduction 110 111 112-3 159 B bastion host 204 biometrics 180 186-7 C 75 81 85 91 93 95 certification self-certification 94 challenge response 185 186 189 checksumming 99 cold 125 126 site Computer Security Act Computer Security Program Managers' Forum 3 4 7 52-3 71-2 73 76 143 149 50 52 151 conformance - see validation consequence assessment 61 constrained user interface 201-2 cost-benefit 65-6 78 173-4 crackers - 212 see hackers 272 Cross Reference and Index D data categorization 202 Data Encryption Standard DES 205 224 231 202 database views diagnostic port - see maintenance accounts modems dial-back digital signature - 203 see electronic signature Digital Signature Standard 225 231 disposition disposal 75 85 86 160 197 235 dual-homed gateway 204 dynamic password generator 185 E ease of safe use 94 electromagnetic interception 172 see also electronic monitoring electronic monitoring 171 182 184 185 186 electronic digital signature 95 99 218 228-30 233 encryption 140 162 182 188 199 224-7 end-to-end encryption 233 Escrowed Encryption Standard 224 225-6 231 espionage 22 26-8 evaluations product 94 233 see also validation 233-4 export of cryptography Federal Information Resources Regulation firewalls FIRMR 7 46 48 52 see secure gateways - FIRST FISSEA gateways Management 52 139 151 - see secure gateways H hackers 25-6 97 116 133 135 136 156 162 182 183 186 204 HALON 169 170 hash secure 228 230 hot site 125 126 273 Cross Reference and Index I individual accountability - see accountability integrity statements 95 integrity verification 100 159-60 internal controls 98 114 intrusion detection 100 168 J 227-30 213 K keys cryptographic for authentication 182 key escrow 225-6 Escrowed Encryption Standard key management cryptography 85 114-5 186 keystroke monitoring 214 see also 199 232 L labels 159 202-3 least privilege 107-8 109 112 114 179 liabilities 95 likelihood analysis 62-3 link encryption 233 M maintenance accounts 161-2 malicious code virus virus scanning Trojan horse monitoring 27-8 79 95 99 133-5 157 166 204 213 215 230 36 67 75 79 82 86 96 99-101 171 182 184 185 N 186 205 213 214 215 O operational assurance 82-3 89 96 OMB Circular A- 130 7 48 52 73 76 1 16 149 P password crackers 99-100 182 passwords one-time 185-6 189 password-based access control 182 199 penetration testing 98-9 permission bits 200- 1 203 230 plan computer security 53 71-3 98 127 161 P rivac y 14 28-9 38 78 92 policy general 12 33-43 49 51 78 144 161 policy issue-specific 37-40 78 274 196 Cross Reference and Index program policy 34-7 51 policy system-specific 40-3 53 78 86 port protection devises 203-4 privileged accounts proxy host 206 204 public access 116-7 public key cryptography 223-30 public key infrastructure 232 Q R RSA 225 reciprocal agreements 125 redundant 125 site reliable architectures security 93 94 responsibility 12-3 15-20 198 204 205 215 see also accountability roles role-based access 107 113-4 195 routers 204 safeguard analysis 61 screening personnel secret key cryptography 108-9 113 162 223-9 secure gateways firewalls 204-5 sensitive systems information 4 7 53 71 76 sensitivity assessment 75 76-7 sensitivity position 107-9 205 separation of duties 107 109 114 195 single log-in 188-9 standards guidelines procedures 35 48 51 78 93 231 system integrity 6-7 166 T TEMPEST - see electromagnetic interception theft 23-4 26 166 172 tokens authentication 115 162 174 180-90 threat identification 21-29 61 Trojan horse - see malicious code trusted development 93 trusted system 6 93 275 94 Cross Reference and Index U V 64 67-8 uncertainty analysis virus virus scanning - see malicious code 234 validation testing 93 variance detection 219 vulnerability analysis 61-2 W X Y Z warranties 95 276 oU S GOVERNMENT PRINTING OFFICE 9 95-4 04-5 2 5 4 79 1 2 ANNOUNCEMENT OF NEW PUBLICATIONS ON COMPUTER SECURITY Superintendent of Documents Government Printing Office Washington DC Dear 20402 Sir Please add my name to the the series National Institute announcement list of new publications to be issued in of Standards and Technology Special Publication 800- Name Company Address _ City Notification key N-503 State Zip Code NIST Technical Publications Periodical -- Journal of Research of the National Institute of Standards and Technology Reports NIST research and development in those disciplines of the physical and engineering sciences in which the Institute is active These include physics chemistry engineering mathematics and computer sciences Papers cover a broad range of subjects with major emphasis on measurement methodology and the basic technology underlying standardization Also included from time to time are survey articles on topics closely related to the Institute's technical and scientific programs Issued six times a year Nonperiodicals --Major on and Handbooks--Recommended codes of engineering and including codes oped cooperation with and regulatory Special Publications--Include proceedings of conferences sponsored by NIST NIST annual Monographs contributions to the technical literature Institute's scientific various subjects related to the technical activities industrial practice safety interested industries professional organizations in devel- bodies reports and other special publications appropriate to this grouping such as wall charts pocket cards and bibliographies --Provides National Standard Reference Data Series quantitative data on the physical and chemical properties of materials compiled from the world's literature and critically evaluated Developed under a worldwide program coordinated by NIST under the authority of the National Standard Data Act Public 90-396 NOTE The Journal of Physical and Chemical Reference Data JPCRD is published bimonthly for NIST by the American Chemical Society ACS and the American Institute of Physics AIP Subscriptions reprints and supplements are available from ACS 1155 Sixteenth St NW Washington DC 20056 Law -- Building Science Series Disseminates technical information developed at the Institute on building materials components systems and whole structures The series presents research results test methods and performance criteria related to the structural and environmental functions and the durability and safety characteristics of building elements and systems -- Technical Notes Studies or reports which are complete in themselves but restrictive in their treatment of a subject Analogous to monographs but not so comprehensive in scope or definitive in treatment of the subject area Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of other government agencies -- Voluntary Product Standards Developed under procedures published by the Department of Commerce in Part 10 Title 15 of the Code of Federal Regulations The standards establish nationally recognized requirements for products and provide all concerned interests with a basis for common understanding of the characteristics of the products NIST administers this program in support of the efforts of private-sector standardizing organizations Order the following NIST publications --FIPS and NISTIRs--from the National Technical Information Service Springfield VA 22161 -- Federal Information Processing Standards Publications FIPS PUB Publications in this series collectively constitute the Federal Information Processing Standards Register The Register serves as the official source of information in the Federal Government regarding standards issued by NIST pursuant to the Federal Property and Administrative Services Act of 1949 as amended Public Law 89-306 79 Stat 1 127 and as Title 15 CFR implemented by Executive Order Code of Federal Regulations -- 1 1717 38 FR 12315 dated May 1 1 1973 and Part 6 of A special series of interim or final reports on work performed by government and nongovernment In general initial distribution is handled by the sponsor public distribution is by the National Technical Information Service Springfield VA 22161 in paper copy or microfiche form NIST Interagency Reports NISTIR NIST for outside sponsors both It u u Qt C -- 8 9 3 OS ON 00 o 55 o CM c Q 0 o s ti M O 00 o 3 2 c x S CO O0 Q 3Z _C T3 C3 'c3 O D 3 PQ u g o V5 o a 0- This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu