IT Security and crime prevention methods
Explanations
1. IT Security: definitions
2. Information precessing and IT Security
3. Important IT Security functions
3.1 Information classification
3.2 Documentation
3.3 Administration and personnel
3.4 User identification and authorisation
Identification - Authorisation
3.5.Logging
3.6.Back-up
3.7.Firewalls
3.8.Intrusion Detection Systems (IDS)
3.9.Incident Handling System
4. Computer architecture
4.1.Microcomputers (stand-alone)
4.2.Network architectures and mini-computers
4.3.Mainframes
4.4.Hand-held computers
5. Threats and crime prevention methods
5.1 Architecture-independent threats
Members of staff - Unauthorised access from external
sources - Media handling - Malicious program code -
Electronic emission
5.2.Microcomputer (stand-alone, Personal Computer) systems
5.3.Network architectures and mini-computers systems
5.4.Mainframe-computer systems
6. IT Security - International Workgroups
Introduction: Goals and objectives
----------------------------------------------------------------
This document gives an introduction to what an investigator
needs to know about Information Technology (IT) security
measures in order to be able to carry out investigations in an
IT environment and to give advice in crime prevention methods.
Information Technology has come to play an important and vital
role in all sectors of society. As a consequence, security has
become an essential component of Information Technology.
However, it is a complex subject and the appropriate measures
will often depend, to a large extent, on the type and location
of the IT equipment.
The potential security threats and risks have to be carefully
assessed in every situation and it is absolutely vital that all
concerned are made aware of the threats and risks that affect
them, and over which they have control. Only then will they
fully understand and apply the appropriate security procedures.
This report attempts to explain the various threats and risks
posed by criminal activity in IT environments and indicate
advice which the police can give about security procedures and
computer crime prevention methods. It is not intended to be a
comprehensive study. Threats to information systems may arise
from intentional or unintentional acts and may come from
internal or external sources. This guide will address only
intentional threats, made with criminal intent, to
confidentiality and integrity. Availability security functions
will only be addressed if they have an effect on confidentiality
and/or integrity. Examples of prevention methods will be given.
The prevention methods in this report can not only be used to
prevent crime in companies and authorities information
technology system, many of these can also be used to protect
private computer systems.
1. IT Security: definitions
----------------------------------------------------------------
CONFIDENTIALITY (Secrecy)
Information and other resources are only disclosed for
those 'users' (persons, entities or processes) who are
authorised to have access to it.
INTEGRITY
Information and other resources are modified only by
those 'users' who have the right to do so. The
accuracy and completeness of the data and information
is also guaranteed.
AVAILABILITY
Authorised 'users' can access information and other
resources when needed.
THREAT
A 'threat' is a potential undesirable incident.
RISK
A 'risk' is the estimated probability that a 'threat'
will be activated.
2. Information processing and IT Security
----------------------------------------------------------------
In order to protect the data held on a computer system, various
steps have to be taken: individual users should only be able to
read the information which is needed to do their job; they
should only be able to modify information which is specifically
their job to modify. Finally, some information should not be
accessible at all for individual users, e.g. the various log
records.
In simple terms, information processing involves the following
types of operation:
* READ/CREATE/MODIFY/DELETE information
* TRANSPORT (in one way or another) of information
* STORE information (on computer 'media' to keep it
somewhere).
i. READ/CREATE/MODIFY/DELETE
Information is 'Read/Created/Modified/Deleted' by a 'User'. A
'User' is a person or a process (e.g. a computer program).
Authorisation to 'Read' information is a question of
confidentiality while 'Create/Modify/Delete' is primarily a
question of integrity.
ii. TRANSPORT
One of the simplest ways of 'transporting' information is the
internal transport between the keyboard, the memory and the hard
disk in a Personal Computer. Another is the external 'transport'
of a diskette from one place to another. Information can also be
'transported' using a 'Local Area Network' (LAN) and/or a 'Wide
Area Network' (WAN). Insecure 'transport' affects both
confidentiality and integrity.
A special kind of undesirable 'transport' is 'Electronic
Emission' (see below).
iii. STORE information
Once the information has been 'stored' on some kind of media
(diskettes, tapes etc.), it may become the target of
unauthorised activities which will have an effect on the
confidentiality and/or integrity of the information.
3. Important IT Security functions
----------------------------------------------------------------
As well as knowledge of computer architecture, the investigator
also needs to be familiar with a number of important IT Security
functions and organisational matters if s/he is to be able to
give advice on prevention methods and conduct investigations.
Some important functions are:
* Information classification
* Documentation rules
* Administration and personnel
* User Identification and Authorisation
* Logging
* Back-up
* Firewalls
* Intrusion Detection System (IDS)
* Incident Handling (IH)
3.1 Information classification
It is essential to classify the information according to the
appropriate level of availability, e.g. 'open', 'confidential',
'secret' or 'top secret'. Only then will it be possible to apply
the most effective security measures. The classification should
be carried out by the management or by the 'information owner'.
3.2 Documentation
All systems, but especially the 'Identification and
Authorisation system', 'Information Classification system' and
'Application systems', must be fully documented.
IT Security policy and the security rules for the organisation
as well as details of contingency plans in the event of a major
incident should be documented in a 'Security Handbook'. The
chapter on IT Security should have separate sections for each
user category, e.g. 'Management', 'System Administrators', 'End
Users' etc.
Create a checklist with guidelines concerning the actions which
have to be taken in case of an incident (e.g. immediate
reaction, who to contact). See chapter 'Incident Handling'.
3.3 Administration and Personnel
Success in information security work depends first and foremost
on developing good basic working practices and establishing
procedures to ensure that they are maintained. It is also
important to create a security-conscious atmosphere and
establish a disciplined approach.
If confidential information is to be handled, it is essential
that the people chosen for the job are absolutely reliable. They
should be security screened to a level equal to the highest
level of confidential information they are likely to be asked to
work on. Access to information should be restricted to that
which the individual 'needs to know' to do his job. Particularly
sensitive material should be split into sections so that only
authorised staff can handle each section; no member of staff
should have access to all the information.
Furthermore, security measures will only be effective if staff
are properly trained. It is essential that they understand the
problem. This can be achieved with in-house training. The
individual users must be trained how to use the network, how to
handle confidential information, making back-ups etc. Employees
can be taught what to do to counter certain threats, what they
should not do, whom they can call and where they can get help.
It is also very important to encourage employees to report
incidents so that steps can be taken to prevent any further
damage.
New or temporary employees should be given introductory
training, during which data security and data integrity can be
explained. It might also be useful to consider including a
clause on security and confidentiality obligations in employees’
contracts.
(a) Management responsibilities
To achieve functional and cost-effective IT Security, a number
of initial steps must be taken by the management:
Risk analysis What are the threats and what is the risk they
will be activated? Threats and risks, acceptable or
unacceptable, vary between different organisations. It is
important to analyse the risks to make it possible for the
management to form a policy with their security intentions.
Policy There must be an Information Security policy written and
approved by management. No management approved policy = no
resources. It should include the main security targets,
information classification principles, responsible persons, and
principles to reach the targets.
Security plan A plan has to be made to define how the targets
and the intentions in the policy document should be realised. A
priority list must be set up because it may not be possible to
realise everything in the policy at the same time. The plan is a
living document and has to be scrutinised by the IT security
officer.
Security Architecture With the risk analysis, the policy and the
plan as a base, security architecture must be chosen. Stet
Security architecture is a high level description of technical
security functions and organisational needs to fulfil the
security demands.
Implementation With the security architecture as a base,
different security functions and products must be selected to
implement the security architecture.
The main points requiring attention are as follows:
i. All senior management, and not just the computer security
manager, should be sufficiently familiar with the computer
systems in use, to enable them to know what is going on and why.
ii. The role of the system manager is crucial. He must be of the
highest degree of integrity, and sufficiently computer literate
to be able to administer the system in a secure and responsible
manner. The system manager access level should be restricted to
the minimum number of staff required. However it must be
possible for the IT security manager to check on the system
manager’s activities.
iii. The only way of establishing how a problem has occurred,
whether the origin is accidental or deliberate, is to examine
the logging information stored on the computer. (One of the
reasons for restricting privileges is that the logging
information of the system is available at this level). Analysis
of this information should show when, where and how the problem
occurred. In some cases careful examination will also indicate
who was responsible. It is essential therefore that the logging
capabilities of the particular system are fully understood and
utilised. If the logging functions on the system are inadequate,
consideration should be given to acquiring suitable software.
(b) User responsibilities
Users should be given specific guidelines about what they should
do - and more importantly - what they should not do. These
guidelines should be distributed in written form, and signed
for. This will counter the defence that they were unaware of the
contents of the guidelines and at the same time provide the
investigator with written proof. Specimen guidelines are given
below. They are certainly not exhaustive and others can be added
to take account of particular circumstances.
i. Do not use any computer equipment without permission.
ii. Do not try to access information unless you know you are
authorised to do so.
iii. Do not alter any information on a computer system unless
you know you are authorised to do so. (It is also important
to provide a clear written statement of what information
each user is allowed to access, to whom that information
may be disclosed and what action will be taken if the rules
are broken.)
iv. Do not use a company or authority computer for personal
matters without permission.
v. Do not leave a working computer unattended, without using
security options that demand retyping a password (e.g.
screen saver password).
vi. Make sure you know what to do in the event of a virus being
discovered on the system. Use virus protection programs.
vii. Be aware of malicious program code, when loading files,
mails etc. from the internet or other media.
viii.Keep your password and user-ID confidential.
ix. Do not allow anyone else to use your password. (If people
like engineers need access to the system, they should be
referred to the system manager.)
x. Do not use anyone else’s password.
xi. Remember that anything done on the system using your ID and
password can be your responsibility.
3.4 User Identification and Authorisation
Access to a computer (i.e. a Personal Computer) can be
restricted by means of controls based on various kinds of
'Identification and Authorisation' systems.
Identification is a two step function: (a) to Identify the user
and (b) to Authenticate (validate) the identity (i.e. confirm
that it is true).
The simplest systems rely on passwords only. More sophisticated
systems use cards (e.g. 'SmartCard') and/or 'biometric' methods
in combination with passwords.
3.4.1 Identification
(a) Password systems
These give some measure of protection against casual browsing of
information, but will rarely stop a determined criminal. A
computer password acts like a key to a computer. Allowing
several people to use the same password is like everyone using
the same key.
Passwords should:
i. Be issued to an individual and kept confidential, they
should not be shared with anyone. (The golden rule is ONE
PERSON ONE PASSWORD). Should a temporary user need access
to a system, it is usually fairly simple to add to the list
of authorised users; once the temporary user has finished
his work, his user-ID must be deleted from the system.)
ii. Be distinct from the user-ID.
iii. Ideally be:
a. alphanumeric and
b. at least six characters long.
iv. Be changed regularly, at least every 30 days. It is
possible to warn the user automatically when his password
expires. To ensure that he enters a new one, he will not be
able to enter the system after the expiration date,
although he may be allowed a limited number of 'grace'
log-ins.
v. Be properly managed. This will involve:
a. Using a password history list, giving all the
passwords used in the past year or two. New passwords
will be checked against the list and not accepted if
they have already been used.
b. Making a list of frequently used passwords such as
names, brands and other words that are easy to guess
and therefore not suitable as passwords. This list
will be used in the same way as the history list,
except that new passwords will not be added; only the
system manager will be able to change the list. N.B.
Some systems conform to these standards and generate
passwords automatically.
vi. Be removed immediately if an employee leaves the
organisation or gives notice of leaving.
Last but not least it is important to note that care should be
taken with the password used for remote maintenance. Standard
passwords which are often used to get access to different
systems, for maintenance purposes, should always be avoided.
(b) Other identification systems
The 'password' method is built on something you 'know' and might
be misused by someone getting hold of the password. A system
built on something you 'know' (password, PIN-code etc.) AND
something you 'have' (i.e. authorisation card) is a much
stronger system. Even if someone gets hold of your password it
is useless without the card. Today, the strongest method is
something you 'know', something you 'have' and something you
'are' (biometrics).
There are two main types of card:
a. Magnetic strip card: As its name suggests, this type of
card has a magnetic strip containing some confidential
information to be used together with the holder’s personal
code;
b. Chip card: Instead of a magnetic strip, the card has a
built in microchip. The simplest type contains a memory
chip (e.g. telephone cards) containing some information but
has no processing capability. The other, better, type is
the 'Active' (or 'Smart') Card. It contains a microchip
with both a memory to store some information and a
processor. It is often used in combination with
cryptographic techniques.
Biometric systems make use of specific personal characteristics
(biometrics) of a specific person e.g. fingerprint, voice,
keystroke characteristics or the 'pattern' of the retina.
Biometric systems are still quite expensive (except for the
keystroke system) and not very common.
However, even these sophisticated techniques are not infallible.
3.4.2 Authorisation
After identification and authentication of the user (subject)
there must be a function and set of rules to control what object
(files, devices etc.) each user is allowed to access. This is
the Access Control system.
3.5 Logging
Most computer systems have some kind of log. Even stand-alone
systems sometimes have identification and authorisation systems
(and a log) if different users, with different authorisation
levels, use them and/or when it is desirable to prevent users
from using the disk drive (as an anti-virus measure) or changing
files.
In a multi-user system (client-server-, mini-,
mainframe-systems) there are always logging functions and there
is often more than one kind of log.
The desired level of protection will only be achieved if the
various security measures are properly followed up with a log
that can be analysed as and when necessary. A proper log will
answer the questions:
* WHO (user)
* WHEN (time - date)
* WHERE (place)
* WHAT (event/activity)
* ADDITIONAL (Additional information depending on activity)
There are often many different types of logs, e.g.:
* HISTORY files (e.g. Internet activities)
* TEMPORARY files
* SYSTEMS log
* TRANSACTION log
* SECURITY SYSTEM log
* DATABASE log
* APPLICATION log
* TECHNICAL log (mainly on mainframes)
Log information is one of the most important items for a
computer crime investigator to look for.
3.6 Back-up
Although modern computer systems are generally very reliable,
breakdowns and failures do occur, and users can make mistakes
that lead to the accidental destruction of information. To guard
against total loss of information under these circumstances, it
is necessary to set up procedures for making regular copies. The
information on the computer system should be copied to some form
of back-up medium. This medium can then be stored in a safe
place until it is needed.
For particularly valuable information several copies should be
made, and each copy stored in a different place and at least in
different buildings, if not different cities.
The frequency with which back-ups are taken should be based on
the frequency with which the information changes, the relative
value of the information, and the problems its loss would cause.
Regular back-up of data and system files are an essential
security measure. When combined with the logging information,
they should provide a comprehensive security information
package. The following guidelines may be of assistance when
making back-ups:
i. Make sure that regular back-up copies are made of both data
and system files.
ii. Back-up cycles should be of sufficient length to be of some
use in the future. 24-hour overwrite cycles are not
recommended.
iii. Take a full back-up (both system and data) out of the cycle
on a regular basis and archive it off site for an extended
period.
iv. Back-up tapes/diskettes should be kept in a safe place
under lock and key and away from the computer and where
they are secured from fire, flood, magnetic and electric
fields etc., preferably off site.
v. Periodically test the back-up to ensure that the
information can actually be restored in an emergency; do
not wait for disaster to strike to find the back-up system
does not work.
Back-ups (including old back-ups) are another important source
of information for an investigator.
3.7 Firewalls
One frequently asked question is 'how to secure the internal
network from an external network such as the Internet?' One
solution is to set up a firewall system.
According to a definition in The Internet Firewall FAQ 'A
firewall is a system or group of systems that enforces an access
control policy between two networks. The actual means by which
this is accomplished varies widely, but in principle, the
firewall can be thought of as a pair of mechanisms: one, which
exists to lock traffic, and the other that exists to permit
traffic. Some firewalls place a greater emphasis on blocking
traffic, while others emphasise permitting traffic. Probably the
most important thing to recognise about a firewall is that it
implements an access control policy. If you don’t have a good
idea what kind of access you want to permit or deny, or you
simply permit someone or some product to configure a firewall
based on what they or it think it should do, then they are
making policy for your organisation as a whole.'
Firewall systems are typically the first line of defence between
an internal network (ex. of companies but also private networks)
and the outside world, especially its connection to the
Internet. It should be configured not only to allow certain
operations to occur (FTP, mail delivery, etc), but to make it
difficult or impossible for an attacker on the outside to use
the firewall to penetrate the internal nets.
There are primarily two types of firewall systems, the
packet-filtering firewall system and the application-level
gateway.
The major difference between the two techniques lies in the flow
of communication. A packet-filter gateway acts as a router
between the two networks; as packets flow from their source to
the destination, the gateway either forwards or blocks the
packets. With application gateways, all packets are addressed to
a user-level application on the gateway that relays the packets
between the two communication points.
Firewall system requirements
Firewall systems must support features that will do the
following:
* Prevent unauthorised users from accessing the internal
network.
* Prevent unwanted IP service requests from being passed
through it to the internal network.
* Log its activities.
* Be easy to administer.
* Provide alarm mechanisms.
* Preferably support SNMP.
* Be configurable at the user, service, and IP host level.
Security Policy
If a firewall system will be deployed to secure the access to
the Internet, the configuration of the firewall system must
reflect the security policy of the organisation. The security
policy must address, at a minimum, the following questions:
What is the policy on IP Addresses?
Is the organisation's IP address space a registered IP
address?
Who is or will be the organisation's Internet service
provider?
What is the Internet service providers security
policy? Is their network secure?
Will firewall systems be used to secure the connection
to the Internet?
If so, what type of firewall system?
What is the firewall system architecture?
All entry and exit points to the Internet need to be
identified. The firewall network architecture must be
defined to control authorised inbound and outbound
connections.
What is the policy for inbound access to systems?
Which specific protocols will be allowed to access
nodes on the internal network?
What is the policy on outbound access to nodes on the
Internet?
Do remote offices or branches connect to the home
office?
If so, are remote offices directly connected to the
Internet or is their access to the Internet through
the home office?
If there is a direct connection between the remote
office and the Internet, verify that if the security
of the remote office is compromised, the security of
the corporate network is not compromised.
Are there external networks that are not trusted?
Are there external networks that do need access to the
internal network via the Internet?
3.8 Intrusion Detection Systems (IDS)
Do I need an Intrusion Detection System if I have a Firewall?
Yes, the main purpose with a Firewall is to protect against
unauthorised external attacks but it will normally leave the
network unprotected from internal attacks or intrusions. And,
Firewalls sometimes fail to protect from external intrusions
because:
* It is hard to configure the Firewall properly
* Hacker/Crackers can get some packets through most Firewalls
and Firewalls don’t know what happens once someone gets
through the Firewall
* The software contains a software bug (software always has
bugs)
* Bad protocols can be blocked by the Firewall but HTTP is
allowed through and 'hack' in HTTP will pass through
* The Firewall can only protect against known problems
An intruder is somebody attempting to break into or misuse the
system. Intruders can be divided into two categories:
* Outsiders Intruders from outside your own network who try
to attack your system via dial-up lines, Internet, a vendor
or other 'partner' etc.
* Insiders Intruders that are authorised to use your internal
network but are misusing their privileges.
There are different types of IDS. Two main types are:
* Statistical detection The IDS looks for deviations from
statistical measures to detect unusual behaviour. A set of
variables is defined for subject and objects such as
servers, files, users and other resources. A 'normal' value
is set for each variable by looking at historical data or
by setting expected values. When system activities occur
the list of variables is maintained and updated for each
subject or object.
* Pattern (or Signature) matching detection This type of IDS
compares activities against a collection of known attacks
or a set of rules. The main idea is to watch for events
that matches one of the patterns or violates the rules.
Why should I use a Firewall and IDS? Because most attacks come
from inside and every company or organisation needs a well
managed single point of entry as well. In addition, a Firewall
can keep hackers running automated intrusion programs out of the
internal network. Otherwise those programs can detect and
exploit holes in your security architecture. There is a lot of
information explaining different IDS on the Internet.
3.9 Incident Handling System
Even if you have installed a Firewall and an Intrusion Detection
System someone has to take care of an incident when it occurs
(not 'if' it occurs, because it will happen sooner or later). To
be well prepared is the best way to handle an incident. It is
very important to stay calm and not panic when an incident
occurs. It is very valuable to have a special form to register
incidents.
For example the SANS Institute has a step by step method for
incident handling and the latest information can be obtained
from the Internet at address ih@sans.org. Their method has six
stages:
* preparation
* detection
* containment
* eradication
* recovery
* follow-up
Preparation
This stage covers things like policy, management supports,
training and interfaces to law enforcement.
Identification
How to identify an incident, responsible staff, co-ordination
with network suppliers’ etc.
Containment
Create the on-site team to survey the situation. Backup of the
system. Risk determination (to let the system run) etc.
Eradication
Perform vulnerability analysis. Remove the cause of the incident
etc
Recovery
Restore the system. Validate the system etc
Follow-up
Develop a follow-up report.
4. Computer architecture
----------------------------------------------------------------
The main types of computer architecture are indicated below. In
many cases, the specific threats and risks to which a particular
system is exposed will depend on its architecture. However there
are a number of threats which can affect all systems,
irrespective of their architecture.
Main architecture types
* Microcomputers
* Network architectures and Mini-computers
* Mainframes
* Hand-held computers.
4.1 Microcomputers (stand-alone)
These computers have no facilities for permanent external
communications, apart from links to peripherals (e.g. printer,
scanner, streamer, extra disk drive etc.). Nowadays it is common
to have a modem and a temporary connection to the Internet.
This architecture is easiest to 'protect' but it is also the
architecture where the users are least aware of the possible
threats and risks. If it is connected to the Internet it can be
vulnerable to external attacks if it is not properly configured.
The user is responsible for back-ups, keeping media in a safe
place, protecting data from unauthorised access, etc.
Examples: Personal Computer (IBM PC-compatible) - Desktop,
Laptop
Macintosh, Amiga, etc.
4.2 Network architectures and Mini-computers
A mini-computer is linked to several workstations to serve a
limited number of users. The workstations may consist of just a
keyboard and screen, or microcomputers (so-called 'intelligent'
terminals) may be used. Today, these mini-computers are often
referred to as 'servers' linked to their workstations through a
Local Area Network (LAN). Commonly known as client-server
architecture.
In many organisations the old mainframe architecture is now
being replaced with a number of 'servers' each of which has a
different set of functions. Connections from the LAN to Wide
Area Networks (WAN) are common.
The user is only responsible for backing up the files on the
hard disk on his own workstation (if it has one). One or more
administrators are responsible for all other back-ups, loading
new programs etc. Management of the network is normally left to
a Network Administrator.
Examples: UNIX-systems, OS/2-servers, and IBM AS400
Digital Micro VAX, etc.
4.3 Mainframes
Used in big organisations to serve a great number of users
and/or where considerable computing capacity is needed. A
special computer-room with air-conditioning is needed, too. This
is often located in a restricted area of the building and
specialists are required to operate the computer. Network
operators monitor the communication functions and assist users
if there are communication problems. System development and
programming is a task for specialised staff. The user is only
responsible for backing up the files on the hard disk of his
workstation (if it has a disk). Because of the very fast
technical development in the field of client-server it is today
not possible to clearly define the difference between mainframes
and servers.
4.4 Hand-held computers
This type of computer, like personal organisers, is completely
different from the others and is discussed in section 'Technical
devices & communications' in the Interpol Computer Crime Manual.
The most important prevention method is to keep the equipment in
a safe place and away from unauthorised persons.
5. Threats and crime prevention methods
----------------------------------------------------------------
This section gives examples of the threats that may occur. Some
may be encountered in all types of environment, others may only
occur with specific types of computer architecture.
The prevention methods mentioned are only given as examples. The
risk of the threat being activated must be assessed in each
organisation and depends on factors such as the company's
information policy, employees' awareness, etc.
In the following tables, the various threats to which a system
may be exposed are grouped according to where the information is
located in the IT process.
READ/CREATE/MODIFY/DELETE refers to information (data
and software) inside the computer system.
TRANSPORT refers to information (data and software)
'transported' via a network or on media.
STORE refers to information (data and software) when
it is stored on computer media and taken out of the
computer system. (I.e. back-up tapes/diskettes).
5.1 Architecture-independent threats
There are a number of important 'architecture-independent
security targets':
* Members of staff, with certain responsibilities, powers,
information
* Media handling
* Malicious programs
* Electronic Emission
5.1.1 Members of staff
Threat Prevention method
Disloyal staff See advice given above in
'Important IT security
functions'.
The strongest form of security
is often procedural security
with attendant staff awareness
and responsibility.
Unauthorised access to Users should be given specific
information by users written guidelines on what they
should and should not do.
Guidelines should be signed
for.
Install an 'Identification and
Authorisation' system. Adopt a
'two-man rule' for granting
privileges.
Do not reveal your password for
anyone.
Keep identification and
authorisation cards in a safe
place.
Regularly check logs.
Regularly check that
configuration is correct.
Install an Intrusion Detection
System.
See above, chapter 'Important
IT security functions'
Unauthorised access to The same as above and:
information by system
administrators, programmers, Use separate systems for
etc. program development and for
'production'.
Restrict access to equipment
with sensitive information;
adopt 'two-man rule'.
Restrict use of 'super
user'/'root' privileges.
Unauthorised access to As for other staff and:
information by temporary
staff, e.g. consultants, Limit their access to the
service engineers etc. system to the time and day
required for the specific task.
Do not forget to cancel their
access rights and close their
temporary accounts.
Do not leave communication
lines for remote servicing open
when not needed.
5.1.2 Unauthorised access from external sources
Threat Prevention method
Unauthorised access Install an 'Identification and
Authorisation' system. Adopt a
'two-man rule' for granting
privileges.
Regularly check logs.
Regularly check that configuration is
correct.Install a Firewall.
See above chapter 'Important IT
Security functions'
5.1.3 Media handling
Threat Prevention method
Total loss of information Media should be kept in a safe
through theft of media place under lock and key.
Loss (by copying or transfer) Encrypt sensitive information.
of information as a result of Staff handling the media should
unauthorised access to, or not have access to the
loan of, media encryption keys.
'Two-man rule' for back-up.
'Two-man rule' for access to
archives.
Loss (by copying or transfer) Never send equipment with
of information during sensitive information on mounted
servicing media for servicing.
(It is not enough to 'Delete'
sensitive information because of
'Undelete /unerase'
possibilities)
5.1.4. Malicious program code
Threat Prevention method
Viruses and other malicious Install 'Anti-virus software'. See
programs Chapter 'Investigations', Section
'Malicious program code' in the
Interpol Computer Crime Manual.
Programs altered to obtain Depends on computer architecture.
access to, or manipulate,
information without Use separate systems for program
authorisation development and for 'production'.
If possible, restrict access to
'source code', 'compilers' and
'editors' in 'production' system
and restrict use or installation
of non-standard software packages.
An Intrusion Detection System
might detect this type of problem.
See above chapter 'Important IT
Security functions'
5.1.5. Electronic Emission
Threat Prevention method
Despite all precautions, it is Use equipment with no or
still possible for a determined limited signal leakage
intruder to eavesdrop on ('tempest') or put the
information by picking up and equipment in a shielded room.
interpreting electromagnetic Although effective, those
emissions from the Personal methods are expensive and are
Computer or workstation. In a only to be recommended when
manner somewhat similar to the there is an extremely high
way in which it is possible to risk. Optical fibres can be
detect the operation of a used to prevent emission
television receiver and leakage from the lines running
determine which channel is between peripherals and the
being watched. This type of Local Area Network (LAN).
eavesdropping is most likely to
occur when very sensitive Encryption of the Wide Area
information, such as that of Network (WAN) will not stop
high commercial value or electromagnetic emissions but
dealing with matters of the eavesdropper will not be
national security is involved. able to use the information
without the encryption key.
5.2 Microcomputer (stand-alone, Personal Computer) systems
Much sensitive information is stored on personal computer
systems. The main risk is unauthorised access to that data, or
that the data may become corrupted or lost.
READ/CREATE/MODIFY/DELETE
Threat Prevention method
Corruption of files (program Keep program diskettes
or data). A major cause of write-protected at all times.
data loss and corruption is
the introduction of viruses Do not keep data and software on
to computer systems. the same diskette. Otherwise, if
software becomes corrupted or
infected, the data will usually
be lost as well.Making files
read-only will prevent them from
being infected by some viruses,
not all of them. All media should
be scanned for viruses before
use, preferably on a system
specially designated for the
purpose.
Unauthorised access of Restrict physical access to the
information stored in the Personal Computer, by locking the
computer door (and the machine if
possible) whenever it has to be
left unattended. Machines should
never be left switched on and
running, unless a reliable
software protection mechanism has
been installed.
Unauthorised use of the As above.
computer
Malicious programs (i.e. See Chapter 'Investigations',
viruses) Section 'Malicious program code'
in the Interpol Computer Crime
Manual.
Loss (by copying or Never send equipment with
transfer) of information sensitive information on mounted
during servicing media for servicing.
(It is not enough to 'delete'
sensitive information because of
'undelete/unerase'
possibilities).
Theft of the computer Restrict physical access to the
Personal Computer, by locking the
door (and the machine if
possible) whenever it has to be
left unattended.
Laptops are particularly at risk
when left unattended in hotel
rooms etc.
Use cryptography to protect
information from unauthorised
access.
TRANSPORT
Threat Prevention method
Loss of confidential or secret Transport media in sealed
information during transport. envelopes and/or locked boxes.
Manipulation of media during As above and electronic seal
transport (cryptologic checksum) on
information.
Total loss of media during Never leave media unattended
transport in cars, hotel rooms etc.
STORE
Threat Prevention method
Loss (by copying or Diskettes and other media should be
transfer) of kept locked up in a safe place when
information not in use.
Physical loss of As above and it is advisable to
information install removable hard disks, which
should be kept in a safe place.
Total loss of Regular back-ups of data and system
information through files are essential. Together with the
theft of computer logging information, they will provide
and/or media a comprehensive security information
package. For back-up guidelines, see
3.6
Loss (by copying or See 'Architecture-independent threats'
transfer) of above.
information as a result
of unauthorised access
to, or loan of, media
5.3 Network architectures and Mini-computer systems
Local Area Network (LAN)
If a Personal Computer is connected to a network, there are two
other possibilities for interfering with data, in addition to
the dangers of physical access to the machine (as mentioned
above).
Firstly, it becomes possible to access the information stored on
the Personal Computer via the network. Care should therefore be
taken to ensure networking software is correctly configured, and
that only that information which is intended to be generally
accessible is stored in directories which can be accessed via a
network.
Secondly, the danger of leaving a Personal Computer unattended
is much greater: not only can the data on the Personal Computer
itself be compromised, but there is also a risk that any data
which the rightful user of the Personal Computer may be able to
access over the network will also be compromised.
In a network environment, especially where sensitive material is
in use, it is essential to keep a central record of activity,
i.e. a log. This should be held on a machine that is known to be
secure, and should contain a record of ALL activity on the
network; there should also be a procedure for examining the log,
so that all suspicious events can be highlighted and
investigated.
Wide Area Network (WAN)
Networks are connected either by cable, by microwave or
satellite. The latter are vulnerable to interception as are any
radio transmissions unless the data is encrypted. The
transmission of electronic signals is governed by standards that
are called 'protocols'. There are many standards, the most
common is the TCP/IP which is the standard packet-switching
protocol used for the Internet. Such connection can be protected
against improper use or interception in various ways. The best
way is to use Identification, Authentication and Cryptography as
well as firewall and Intrusion Detection Systems (IDS).
Costs have also to be considered. Telecommunication companies
can offer the use of dedicated lines - as often used by
financial institutions, which means that these lines are not
available for normal public use and are protected against
intrusion, but they cost substantially more. This also applies
to encryption. There are a number of encryption standards and
devices ranging from small logical keys installed on sending and
receiving equipment to higher levels of coding which use
complicated mathematical cycles and algorithms. The decision to
implement such higher level systems will have to be taken in the
light of the value of transmitted data.
It must also be remembered that encryption is not an infallible
solution and that its use raises various problems, e.g. several
countries are developing, or discussing the development of a
specific law to regulate the use of encryption.
Even when communications are well protected, problems of
unauthorised access can occur if a well-protected system is
linked directly to another that is not protected. Any given
system is only as secure as those to which it is connected.
INTERNET
Victims of Internet attacks are often organisations that did not
bother too much about their security or who trusted some sales
person who said that the Internet connection was absolutely
safe.
A lot of safeguards are mentioned above and they are applicable
for the Internet as well. Some additions are :
* Do not connect computers or entire networks, which contain
your critical information (e.g. financial, confidential,
privacy) to the Internet.
* If possible restrict the way to the Internet to just one
single point of connection.
* Do not store your password or identification number on your
hard disk, protect it otherwise from unauthorised access.
Create a password policy (see chapter 3.4.1, identification
- password systems).
* Check and update your list of user accounts.
* Install a firewall system and an IDS.
* Do not download files or open emails which you do not
trust.
* Install an anti-virus-software and update it frequently.
* Be aware of shared-files which might be accessed of
unauthorised persons.
* Be aware of cookies, Java and ActiveX applets etc.
* Install only minimal options.
THREATS
READ/CREATE/MODIFY/DELETE
Threat Prevention method
Manipulations or unauthorised See chapter 5.2. Microcomputer
access to software or systems
information in each
workstation (Personal
Computer) in the network
Unauthorised access to Users should be given specific
information in the 'server' by written guidelines on what
users they are allowed and not
allowed to do. Guidelines
should be signed for.
Install an 'Identification and
Authorisation' system. Adopt a
'two-man rule' for granting
privileges.
Regularly check logs.
Regularly check that
configuration is correct. IDS
should be installed.
Unauthorised access to As above and:
information by system
administrators, programmers’ Use separate systems for
etc. program development and for
'production'.
Restrict access to server;
adopt 'two-man rule'.
Restrict use of 'super
user'/'root' privileges.
Corruption of files (program All media should be scanned
or data).A major cause of data for viruses, preferably on a
loss and corruption is the system specially designated
introduction of viruses to for the purpose, before use.
computer systems.
Erase all unnecessary codes,
default and unused procedures.
Total loss of information Regular back-ups of data and
through 'disk crash' or system files are essential.
deliberate destroying of files Together with the logging
information, they will provide
a comprehensive security
information package. For
back-up guidelines, see 3.6
Loss (by copying or transfer) Some mini-server servicing can
of information during be done 'on-site' but in the
servicing case of some hardware problems
the equipment will have to be
taken away for repair by the
service company/vendor.
Never send equipment with
sensitive information on media
for servicing without a
verifiable guarantee that the
information will be destroyed.
(It is not enough to 'delete'
the sensitive information
because of 'undelete' and
'unformatted' possibilities)
Remember that after repair,
the disk drives could be
reused somewhere else and your
information might be
compromised.
If it is decided to replace a
disk with sensitive
information, destroy it
yourself.
Theft of the server The server should be kept
locked up in a safe place.
TRANSPORT in Local Area Network (LAN)
Threat Prevention method
Interception of cables Segmentation of the LAN.
Use optical fibres.
Regularly inspect LAN.
Encrypt LAN.
Interception of networks Restrict physical access to
components (like 'routers', components.
'bridges', 'gateways',
'repeaters' etc.) Regularly check that the
configuration of each individual
component is correct.
Manipulation of network As above.
components
Unapproved workstations The system should be set up in a
way that the management must
approve the workstations before
they can be used.
Regularly check that the
configuration is correct.
Network administrator Network Administrators should be
accessing user files given specific written guidelines
on what they should and should
not do. Guidelines should be
signed for.
Restrict use of 'administrator'
privileges.
Install an 'Identification and
Authorisation' system.
Adopt a 'two-man rule' for
granting privileges.
Access to the LAN from Provide guidelines for the use of
'outside' modems or other connections.
IDS and firewall should be used.
Regularly check that the
configuration is correct.
TRANSPORT in Wide Area Network (WAN)
Threat Prevention method
Interception of cables Communications can be
encrypted, but there may be
legal restrictions.
Interception of radio As above.
communications
Intruders Use special modems at each
('hacking'/'cracking') end, which recognise each
other’s signals (mutual
signal recognition).
Install an 'Identification
and Authorisation' system.
Adopt a 'two-man rule' for
granting privileges.
IDS and firewall should be
used.
For password rules, see
chapter 3.4., User
Identification and
Authorisation.
TRANSPORT of media
Threat Prevention method
Loss of confidential or secret Transport media in sealed
information during transport envelopes or locked boxes.
Cryptography should be used.
Manipulation of media during As above and:
transport
Electronic seal (cryptologic
checksum) on information.
Total loss of media during Never leave media unattended
transport in cars etc.
STORE
Threat Prevention method
Loss (by copying or Media should be kept in a safe
transfer) of information place under lock and key.
'Two-man' rule for access to
archives.
Total loss of information Regular back-ups of data and
through theft of media system files are essential.
Together with the logging
information, they will provide a
comprehensive security
information package. For back-up
guidelines, see 3.6.
5.4 Mainframe-computer systems
There is normally some kind of access system to a mainframe via
terminals or a number of LANs with workstations, which will be
subject to the threats mentioned above. In that connection, see
5.1 (Architecture-independent threats), 5.2 (Microcomputer
systems), and 5.3 (Network architectures and Mini-computer
systems), as appropriate.
THREATS
READ/CREATE/MODIFY/DELETE
Threat Prevention method
Manipulations or unauthorised Use separate computers for
access to software system/program development and
'production'.
If possible, restrict access to
'source code', 'compilers' and
'editors' in 'production'
system.
Unauthorised access to Users should be given specific
information written guidelines on what they
should and should not do.
Guidelines should be signed
for.
Install an 'Identification and
Authorisation' system. Adopt a
'two-man rule' for granting
privileges.
IDS and firewall should be
used.
Regularly check logs.
Regularly check that
configuration is correct.
Unauthorised access to As above and:
information by system
administrators, programmers Separate test/development
etc. systems from production
systems.
Restrict access to the computer
room. 'Closed shop' for all
other than those working in the
computer room.
Restrict use of 'super
user'/'root' privileges.
Cryptography should be used for
confidential information.
Corruption of files (program Use 'checksums' on sensitive
or data) by malicious programs software to make it possible to
control that it has not been
changed deliberately.
Erase all unnecessary codes,
default and unused procedures.
Loss (by copying or transfer) Servicing of mainframe systems
of information during is done 'on site'. In the case
servicing of hardware problems with disk
drives they should be replaced
and the faulty ones sent to the
vendor for repair, if possible.
They can later be used as
replacements, perhaps at
another site.
Never send equipment with
sensitive information on media
for servicing without a
verifiable guarantee that the
information will be destroyed.
(It is not enough to 'Delete'
sensitive information because
of 'Undelete' and 'Unformat'
possibilities).
Cryptography should be used for
confidential information.
TRANSPORT in Local Area Network (LAN)
Threat Prevention method
Same as above. See 5.3 See 5.3 (Network architectures
(Network Architectures and and Mini-computer systems)
Mini-computer systems)
TRANSPORT in Wide Area Network (WAN)
Threat Prevention method
Same as above. See 5.3 See 5.3 (Network architectures
(Network Architectures and and Mini-computer systems)
Mini-computer systems)
TRANSPORT of media
Threat Prevention method
Loss of confidential or secret Transport media in sealed
information during transport envelopes or locked boxes.
Cryptography should be used
for confidential information.
Manipulation of media during As above and electronic seal
transport (cryptologic checksum) on
information.
Total loss of media during Never leave media unattended
transport in cars etc.
STORE
Threat Prevention method
Loss (by copying or Media should be kept in a safe
transfer) of information place under lock and key.
'Two-man rule' for access to
archives.
Total loss of information Regular back-ups of data and
through theft of media system files are essential.
Together with the logging
information, they will provide a
comprehensive security
information package. For back-up
guidelines, see 3.6.
6. IT Security - International workgroups
----------------------------------------------------------------
The European Commission has recognised the need for a
comprehensive approach to information system security to protect
the individual, the business community and public
administrations against increasingly sophisticated threats and
combinations of threats.
Consequently, the Commission took the initiative of proposing an
overall 'framework' in which information security problems could
be assessed and an appropriate set of solutions identified and
developed.
The evaluation of the security of information systems has been a
key activity with regard to the implementation of a number of
the action lines. The European criteria ITSEC (IT Security
Evaluation Criteria), and associated methodology (ITSEM), has
been the subject of many of the INFOSEC projects. The art of US
evaluation criteria (TCSEC, Trusted Computer System Evaluation
Criteria) is commonly known as the 'Orange Book'. A new standard
– the CC (Common Criteria) – has been adopted as new
international standard and will replace ITSEC and TCSEC in a
period. However, ITSEC and TCSEC will be used parallel with CC
for some time.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
